<!DOCTYPE html><html><head><meta charSet="utf-8" /><meta httpEquiv="x-ua-compatible" content="ie=edge" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><style data-href="/styles.7bad220205e9949eef9f.css" data-identity="gatsby-global-css">.ss--accordion{border-top:2px solid #252a25;margin:auto;max-width:90rem;position:relative}.ss--accordion h4{margin:0;text-align:left}@media print,screen and (min-width:64em){.ss--accordion h4{font-size:1.5rem}}.ss--accordion p:last-child{margin:0}.ss--accordion__item{border-bottom:1px solid #252a25;padding:1.25rem 0;position:relative}.ss--block--bg-primary .ss--accordion__item{border-bottom:1px solid var(--block-text-color)}.ss--accordion__content{padding-top:1.25rem}.ss--accordion__header{align-items:center;background:transparent;border:0;display:flex;justify-content:space-between;padding:0 1.25rem 0 0;width:100%}.ss--accordion__icon{align-items:center;border-radius:100%;color:currentColor;display:flex;height:1.875rem;justify-content:center;width:1.875rem}.ss--block--bg-dark .ss--accordion__icon{background-color:var(--block-link-color);color:var(--block-bg)}.ss--accordion__icon svg{font-size:.875rem;height:1em;transform:rotate(90deg);width:1em}.ss--block{position:relative}.ss--block--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--block--gutters{padding-left:0;padding-right:0}}.ss--block--bg-gray{background-color:#eff2f2}.ss--block--bg-primary-gradient{background:linear-gradient(216.32794deg,#00bebe,#008a55)}.ss--blockquote blockquote{font-size:1.3125rem;margin:0;padding:1.25rem 0}@media screen and (min-width:49.25em){.ss--blockquote blockquote{padding:1.25rem 1.875rem}}.ss--breadcrumbs{font-size:.875rem;margin:0 auto;max-width:73.125rem;padding:1.25rem 1.25rem 0}@media screen and (min-width:75em){.ss--breadcrumbs{padding:1.25rem 0 0}}.ss--breadcrumbs ul{line-height:1}.ss--breadcrumbs a{color:currentColor;text-decoration:none}.ss--breadcrumbs__list{list-style:none;margin:0 0 2.5rem;padding:0}.ss--breadcrumbs__item{display:inline-block;margin:0 0 .3125rem}.ss--breadcrumbs__item:not(:last-child):after{color:#252a25;content:"/";display:inline-block;padding:0 .5em}:root{--button-text-color:currentColor;--button-bg-color:#2a8e5a;--button-bg-active:#216f46;--button-bg-hover:#247a4e;--button-border-color:currentColor}.ss--button{align-items:center;background:var(--button-bg-color);border:0;border-radius:3px;box-shadow:none;color:var(--button-text-color);cursor:pointer;display:flex;font-family:Monda,sans-serif;font-size:.875rem;font-weight:400;justify-content:center;line-height:normal;overflow:hidden;padding:.6em 1.5em;position:relative;text-align:center;text-decoration:none;text-transform:uppercase;width:100%}@media print,screen and (min-width:43.75em){.ss--button{font-size:1rem;width:-webkit-max-content;width:max-content}}.ss--button:after{background-color:currentColor;content:"";inset:0;opacity:0;position:absolute;transition:background .25s ease,opacity .25s ease}.ss--button:focus:after,.ss--button:hover:after{opacity:.1}.ss--button:active:after{opacity:.2}.ss--button[disabled]{box-shadow:none;opacity:.75;pointer-events:none}.ss--button span{color:var(--button-text-color);pointer-events:none;-webkit-user-select:none;-ms-user-select:none;user-select:none}.ss--button__icon{display:block;height:1em;line-height:1;width:1em}.ss--button__icon:first-child{margin-right:.5rem}.ss--button__icon:last-child{margin-left:.5rem}.ss--button--color-primary{--button-text-color:#fff;--button-bg-color:#2a8e5a;--button-bg-active:#216f46;--button-bg-hover:#247a4e;--button-border-color:#2a8e5a}.ss--button--color-secondary{--button-text-color:#fff;--button-bg-color:#252a25;--button-bg-active:#121412;--button-bg-hover:#191c19;--button-border-color:#252a25}.ss--button--color-accent{--button-text-color:#fff;--button-bg-color:#00bfbe;--button-bg-active:#009695;--button-bg-hover:#00a6a5;--button-border-color:transparent}.ss--button--color-white{--button-text-color:#fff;--button-bg-color:transparent;--button-bg-active:rgba(37,42,37,.08);--button-bg-hover:rgba(37,42,37,.05);--button-border-color:#fff}.ss--button--color-default{--button-text-color:#fff;--button-bg-color:#252a25;--button-bg-active:#384038;--button-bg-hover:#384038;--button-border-color:#252a25}.ss--button--style-bordered{--button-text-color:var(--button-border-color);background:none;border:1px solid var(--button-border-color)}.ss--button--style-unstyled{--button-text-color:var(--button-bg-color);background:none;border:none;box-shadow:none;cursor:pointer;display:inline-block;font-family:inherit;font-size:1rem;margin:0;padding:0;position:relative;text-align:left;width:unset}.ss--button--style-unstyled:focus,.ss--button--style-unstyled:hover{background:none;opacity:.85}.ss--button--style-unstyled:active{background:none}.ss--button--style-unstyled:after{display:none}.ss--button--elevated{box-shadow:0 .2px 2.2px rgba(0,0,0,.02),0 .4px 5.3px rgba(0,0,0,.028),0 .8px 10px rgba(0,0,0,.035),0 1.3px 17.9px rgba(0,0,0,.042),0 2.5px 33.4px rgba(0,0,0,.05),0 6px 80px rgba(0,0,0,.07)}.ss--button--alignment-center{margin:1rem auto 0}.ss--button--width-full{width:100%}@media print,screen and (min-width:43.75em){.ss--button--width-full{max-width:20rem}}.ss--button--menu-item{--button-bg-color:transparent;--button-bg-active:transparent;--button-bg-hover:transparent;background:none;border:0;color:currentColor;cursor:pointer;display:inline-block;font-size:1rem;font-weight:400;padding:0;position:relative;text-align:left;text-decoration:none;text-transform:none;width:100%}.ss--button--menu-item:active,.ss--button--menu-item:hover{opacity:.7}.ss--button--menu-item:active:after,.ss--button--menu-item:hover:after{opacity:0}.ss--button--close{left:1rem;position:absolute;top:1rem}.ss--checkbox{display:flex;padding-bottom:1rem}.ss--checkbox input{clip:rect(0,0,0,0)!important;align-items:center;border:0!important;display:flex;height:1px!important;overflow:hidden!important;padding:0!important;position:absolute!important;white-space:nowrap!important;width:1px!important}.ss--checkbox label{align-items:flex-start;display:flex;font-size:1rem;text-align:left}.ss--checkbox label svg{color:#2a8e5a;cursor:pointer;margin:0 1rem .125rem 0;min-height:1.25rem;min-width:1.25rem}.ss--checkbox [type=checkbox]{display:block;margin-right:1rem;margin-top:.4rem;min-width:.8rem}.ss--checkbox [type=checkbox]:-ms-input-placeholder{opacity:.4}.ss--checkbox [type=checkbox]::placeholder{opacity:.4}.ss--checkbox__checked{display:flex;position:relative}.ss--checkbox__checked .ss--checkbox__check{bottom:0;left:0;position:absolute;right:0;top:0}.ss--checkbox__checked .ss--checkbox__check svg{color:#252a25}.ss--checkbox--error .ss--checkbox__error{color:#d85d5d}.ss--chip{position:relative}.ss--chip__link.ss--chip__link{background-color:#2a8e5a;border-radius:50em;color:#fff;display:block;font-weight:300;line-height:normal;margin:0;padding:.41667rem 1.25rem;text-align:center;text-decoration:none;transition:background-color .25s ease,opacity .25s ease;white-space:nowrap}.ss--chip__link.ss--chip__link:active,.ss--chip__link.ss--chip__link:hover{background-color:#247a4e;color:#fff}.ss--chip__link.ss--chip__link[aria-current]{background-color:#2a8e5a;color:#fff}.ss--chip__link.ss--chip__link[aria-current]:active,.ss--chip__link.ss--chip__link[aria-current]:hover{background-color:#247a4e}.ss--chip--elevated a{box-shadow:0 .2px 2.2px rgba(0,0,0,.02),0 .4px 5.3px rgba(0,0,0,.028),0 .8px 10px rgba(0,0,0,.035),0 1.3px 17.9px rgba(0,0,0,.042),0 2.5px 33.4px rgba(0,0,0,.05),0 6px 80px rgba(0,0,0,.07)}.ss--chips{align-content:center;border:1px solid #252a25;display:flex;flex-direction:row;gap:1.25rem;overflow-x:scroll;padding:1.25rem}@media screen and (min-width:75em){.ss--chips{flex-wrap:wrap;overflow:hidden}}.ss--content a:not(.ss--button):not(.ss--chip__link){color:#2a8e5a;font-weight:400}.ss--content a:not(.ss--button):not(.ss--chip__link):focus,.ss--content a:not(.ss--button):not(.ss--chip__link):hover{color:#247a4e}.ss--content>h1{margin-bottom:2.5rem}.ss--content>h1:last-child,.ss--content>p:last-child{margin-bottom:0}.ss--content ul{margin:0 0 1rem 1.25rem;padding:0}.ss--content li{font-weight:300;line-height:1.5;margin-bottom:.625rem}.ss--content--bg-gray{background-color:#eff2f2}.ss--content--bg-primary-gradient{background:linear-gradient(216.32794deg,#00bebe,#008a55)}.ss--content--text-align-left{text-align:left}.ss--content--text-align-center{text-align:center}.ss--content--text-align-right{text-align:right}.ss--content--vertically-align-center{display:flex;flex-direction:column;justify-content:center}.ss--content--width-large,.ss--content--width-medium,.ss--content--width-small{margin:0 auto}.ss--content--width-small{max-width:48rem}.ss--content--width-medium{max-width:73.125rem}.ss--content--width-large{max-width:90rem}.ss--content--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--content--gutters{padding-left:0;padding-right:0}}.ss--content--improved-typography p{margin-bottom:1.5625rem}.ss--copyright{font-size:.875rem;padding:2.5rem 0 0;text-align:center}.ss--copyright__link.ss--copyright__link{text-decoration:underline}@media screen and (min-width:75em){.ss--copyright{text-align:left}}.ss--copyright p{margin-bottom:0}.ss--cta{display:grid;overflow:hidden;position:relative;text-align:center;width:100%}@media screen and (min-width:75em){.ss--cta{padding-left:0;padding-right:0}}.ss--cta h1{font-size:2.625rem;margin-bottom:1.25rem}.ss--cta p{font-size:1.25rem;font-weight:400;margin-bottom:1.6625rem}.ss--cta__image.ss--cta__image{inset:0;-o-object-fit:cover;object-fit:cover;-o-object-position:50% 50%;object-position:50% 50%;position:absolute}.ss--cta__content{position:relative;z-index:3}.ss--cta--color-accent,.ss--cta--color-primary,.ss--cta--color-primaryGradient,.ss--cta--color-secondary{color:#fff}.ss--cta--color-primary{background-color:#2a8e5a}.ss--cta--color-secondary{background-color:#252a25}.ss--cta--color-accent{background-color:#2a8e5a}.ss--cta--color-primaryGradient{background-color:#33a49b;background-image:linear-gradient(216.32794deg,#00bebe,#008a55);background-position:50%;background-repeat:no-repeat;background-size:cover}.ss--cta--variant-hero .ss--cta__content{padding:11.25rem 1.25rem}.ss--cta--variant-default .ss--cta__content{padding:5rem 1.25rem}.ss--disclaimer p{font-size:.875rem;margin-bottom:0}.ss--drill-down{font-size:1.125rem;margin-top:4.125rem}.ss--drill-down__child,.ss--drill-down__list{list-style-type:none;margin:0;padding:0 1.25rem}.ss--drill-down__child li:not(:last-child):not(.ss--drill-down__subheading):after,.ss--drill-down__list li:not(:last-child):not(.ss--drill-down__subheading):after{background-color:#fff;content:"";display:block;height:1px;opacity:.5;width:100%}.ss--drill-down__subheading h4{padding-top:.75rem;text-transform:uppercase}.ss--drop-down{position:absolute;top:2.5rem;width:17.5rem}.ss--drop-down__list{background-color:#252a25;border-radius:0 0 .1875rem .1875rem;box-shadow:0 .375rem .375rem 0 rgba(37,42,37,.08);color:#fff;list-style:none;margin:0;padding:1.25rem}.ss--drop-down--closed{pointer-events:none}.ss--drop-down--open{position:absolute}.headroom--unpinned .ss--drop-down--open{opacity:0;pointer-events:none}.ss--title-with-icon{display:flex;gap:.625rem}.ss--title-with-icon h3{width:100%}.ss--title-with-icon svg{color:#2a8e5a;font-size:1.575rem;height:1em;margin-bottom:1rem;width:1em}.ss--figure figure{margin:0 0 1.25rem}.ss--figure figcaption{color:#7a7a7a;font-style:italic;text-align:center}.ss--footer{background-color:#252a25;color:#fff}.ss--footer a{color:#fff;font-weight:300;text-decoration:none}.ss--footer a:visited{color:inherit}.ss--footer a:hover{opacity:.8}.ss--footer svg{color:#2a8e5a;font-size:1.25rem;margin-right:.625rem}.ss--footer ul{font-size:.875rem;list-style-type:none;margin:0;padding:1.25rem 0 0}.ss--footer li:not(:last-of-type),.ss--footer li:not(:only-of-type){margin-bottom:.625rem}.ss--footer__container{margin:0 auto;max-width:73.125rem;padding:1.25rem}@media screen and (min-width:75em){.ss--footer__container{padding:1.25rem 0}}.ss--footer__wrapper{display:flex;flex-direction:column-reverse;flex-wrap:wrap;gap:2.5rem}@media print,screen and (min-width:43.75em){.ss--footer__wrapper{flex-direction:row}}@media screen and (min-width:75em){.ss--footer__wrapper{display:grid;grid-template-columns:repeat(4,1fr)}}.ss--footer__menu{padding-bottom:2.5rem}@media screen and (min-width:75em){.ss--footer__menu{padding-bottom:0}}.ss--footer__menu:first-of-type{grid-row:1/2}.ss--footer__menu:last-of-type{grid-row:2/3}.ss--footer__menu:last-of-type svg{font-size:2rem}@media screen and (min-width:75em){.ss--footer__menu:not(:first-of-type):not(:last-of-type){grid-row:1/3}}.ss--footer__menu a[aria-current]{color:#2a8e5a}.ss--footer__menu button,.ss--footer__menu form{font-size:.875rem}.ss--footer__menu form{padding-top:1.25rem}.ss--footer__menu form input{height:auto}.ss--footer__menu-heading:after{background-color:#fff;content:"";display:block;height:1px;opacity:.5;top:1.25rem;width:100%}.ss--footer__social{display:flex}.ss--form button{margin-top:.3125rem}.ss--form fieldset{border:none;margin:0;padding:0}.ss--form__statement{text-align:left}.ss--form__response{padding-bottom:1.25rem}.ss--form__reponse-body{text-align:center}.ss--grid{margin:0 auto;max-width:74.375rem}@media screen and (min-width:75em){.ss--grid{overflow:unset}}.ss--grid__wrapper{display:flex;flex-direction:column;gap:1.25rem}@media print,screen and (min-width:64em){.ss--grid__wrapper{display:grid;gap:2.5rem;grid-template-columns:repeat(2,1fr)}}.ss--grid--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--grid--gutters{padding-left:0;padding-right:0}}.ss--grid--nested{margin:0;padding:0}.ss--grid--nested .ss--grid__wrapper{display:grid;gap:1.25rem;grid-template-columns:repeat(2,1fr)}@media print,screen and (min-width:64em){.ss--grid--nested .ss--grid__wrapper{grid-template-columns:repeat(4,1fr)}}.ss--grid--nested .ss--grid__wrapper>div>div{display:flex;justify-content:center}.ss--grid--scroll-mobile{overflow:scroll;padding:0}.ss--grid--scroll-mobile .ss--grid__wrapper{display:inline-flex;gap:1.25rem}@media screen and (min-width:75em){.ss--grid--scroll-mobile .ss--grid__wrapper>div{margin-bottom:0}}.ss--grid--col-1 .ss--grid__wrapper{display:grid;gap:1.25rem;grid-template-columns:repeat(1,1fr)}@media screen and (min-width:75em){.ss--grid--col-3 .ss--grid__wrapper{display:grid;gap:1.25rem;grid-template-columns:repeat(3,1fr)}}@media screen and (min-width:31.25em){.ss--grid--col-4 .ss--grid__wrapper{display:grid;grid-template-columns:repeat(2,1fr)}}@media screen and (min-width:50em){.ss--grid--col-4 .ss--grid__wrapper{display:grid;grid-template-columns:repeat(3,1fr)}}@media print,screen and (min-width:64em){.ss--grid--col-4 .ss--grid__wrapper{display:grid;grid-template-columns:repeat(4,1fr)}}.ss--grid--gap-large .ss--grid__wrapper{gap:2.5rem}@media print,screen and (max-width:74.99875em){.ss--grid--gap-none-mobile .ss--grid__wrapper{gap:0}.ss--grid--gap-none-mobile .ss--grid__wrapper>div{margin:0}.ss--grid--gap-none-mobile .ss--grid__wrapper ul{margin-bottom:0}}.ss--grid--reverse .ss--grid__wrapper{flex-direction:column-reverse}.ss--header{background-color:#252a25;box-shadow:0 .1875rem .375rem 0 rgba(37,42,37,.08),0 .1875rem .375rem 0 rgba(37,42,37,.08);position:relative;transition:background-color .3s linear;z-index:10}.layout--transparent-header .ss--header{background-color:transparent;background-image:linear-gradient(180deg,rgba(37,42,37,.4),transparent);box-shadow:none;position:relative}.layout--transparent-header .headroom--pinned .ss--header{background-color:#252a25;box-shadow:0 .1875rem .375rem 0 rgba(37,42,37,.08),0 .1875rem .375rem 0 rgba(37,42,37,.08)}.ss--header__container{margin:0 auto;max-width:73.125rem}.ss--header__wrapper{align-items:center;display:flex;flex-wrap:wrap;justify-content:flex-end;padding:.625rem 1.25rem;position:relative}@media screen and (min-width:75em){.ss--header__wrapper{padding:.625rem 0 1.25rem}}.ss--header__top .ss--header__wrapper{font-size:.875rem;padding:.41667rem 0;text-transform:uppercase}.ss--header__logo{justify-self:flex-start;margin-right:auto;position:relative;z-index:2}@media screen and (min-width:75em){.ss--header__logo{transform:translateY(-.375rem) scale(1.35);transform-origin:0 100%}}.ss--header__menu{display:none}@media screen and (min-width:75em){.ss--header__menu{display:block;margin-right:0}}.ss--header__cta{display:none}@media screen and (min-width:22.5em){.ss--header__cta{display:flex}}@media screen and (min-width:75em){.ss--header__cta{margin-left:1em}}.ss--header__cta>*{margin:0}.ss--header__icon button,.ss--header__icon span{display:flex}.ss--header__icon button{cursor:pointer}.ss--header__icon rect{fill:#fff}@media screen and (min-width:75em){.ss--header__icon{display:none}}.ss--header__top{background:linear-gradient(90deg,#252a25,#1e221e);color:#fff;display:none;font-family:Monda,sans-serif}@media screen and (min-width:75em){.ss--header__top{display:block}}.ss--header__link{color:#fff;transition:color .25s ease,opacity .25s ease}.ss--header__link:focus,.ss--header__link:hover{opacity:.65}.ss--header__link:not(:first-child){margin-left:1.25rem}.ss--header__link--parent{color:#2a8e5a}.ss--header__phone{justify-self:start;margin-left:0;margin-right:auto}.ss--hero{background-color:#33a49b;background-image:url("https://d33wubrfki0l68.cloudfront.net/ba9946ed33a410dafa38f5738b4e5f7ed4856e4d/7f519/hero-bg.webp");background-position:50%;background-repeat:no-repeat;background-size:cover;color:#fff;padding:11.25rem 0}.ss--hero p{font-size:1.25rem;font-weight:400}.ss--icon{align-items:center;display:flex;justify-content:center}.ss--image{margin:auto;width:100%}.image-with-content .ss--image{align-content:center}.ss--image img{margin-bottom:0}.ss--image>div{background-color:#f1f3f4;border-radius:6px;overflow:hidden}.ss--image__icon{background:transparent;border:0;bottom:1rem;color:#fff;filter:drop-shadow(1px 1px 4px rgba(37,42,37,.5));opacity:0;position:absolute;right:1rem;transform:translate(100%,100%);transition:all .25s cubic-bezier(.17,.67,.37,.95)}:hover>.ss--image__icon{opacity:1;transform:translate(0)}.ss--image--width-small{max-width:48rem}.ss--image--width-medium{max-width:73.125rem}.ss--image--width-large{max-width:90rem}.ss--image--width-full{max-width:unset}.ss--image--width-full .ss--image__wrap>div{border-radius:0}.ss--image--elevated>div{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--image--lightbox{position:relative}.ss--image--lightbox>div{cursor:zoom-in}.ss--image-list{display:grid;gap:16px 16px;grid-auto-rows:125px;grid-template-areas:". . . ."}.ss--image-list>*{border-radius:3px}.ss--image-with-content{display:flex;flex-direction:column-reverse;gap:1.25rem;margin:0 auto;max-width:73.125rem}@media print,screen and (min-width:64em){.ss--image-with-content{display:grid;gap:2.5rem;grid-template-columns:repeat(2,1fr)}}.ss--image-with-content--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--image-with-content--gutters{padding-left:0;padding-right:0}}.ss--image-with-content--image-left>div{grid-row:1/2}.ss--image-with-content--image-left>div:first-of-type{grid-column:2/3}.ss--image-with-content--image-left>div:last-of-type{grid-column:1/2}.ss--input{padding-bottom:1.25rem}.ss--input input{-webkit-appearance:none;appearance:none;border:1px solid #252a25;border-radius:3px;box-sizing:border-box;display:block;height:2.8125rem;margin-top:.3125rem;padding:.75em 1em;width:100%}.ss--input input:-ms-input-placeholder{opacity:.4}.ss--input input::placeholder{opacity:.4}.ss--input label{clip:rect(0,0,0,0)!important;border:0!important;height:1px!important;overflow:hidden!important;padding:0!important;position:absolute!important;white-space:nowrap!important;width:1px!important}.ss--lazy-iframe{background-color:#252a25;padding-top:56.25%;position:relative}.ss--lazy-iframe,.ss--lazy-iframe iframe{border-radius:6px;overflow:hidden;width:100%}.ss--lazy-iframe iframe{height:100%;left:0;position:absolute;top:0}.ss--lazy-iframe--elevated{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--logo{align-items:center;color:#fff;display:flex}.ss--logo svg{height:2.5rem}@media screen and (min-width:75em){.ss--logo svg{height:3.4375rem}}.layout--transparent-header .headroom--unfixed .ss--logo path{fill:#fff}.ss--menu__list{display:flex;list-style:none;margin:0;padding:0}.ss--menu__list .ss--menu__item,.ss--menu__list span{display:flex}.ss--menu__list .ss--menu__item{padding:0}.ss--menu__toggle{background:none;border:0;color:inherit;padding:0}.ss--menu__item{display:inline-block;margin:0;padding:.5em 0}.ss--menu__item--button{background-color:#2a8e5a;border-radius:3px;box-shadow:0 .2px 2.2px rgba(0,0,0,.02),0 .4px 5.3px rgba(0,0,0,.028),0 .8px 10px rgba(0,0,0,.035),0 1.3px 17.9px rgba(0,0,0,.042),0 2.5px 33.4px rgba(0,0,0,.05),0 6px 80px rgba(0,0,0,.07);cursor:pointer;margin-left:1em;position:relative;transition:background .25s ease,opacity .25s ease;z-index:6}.ss--menu__item--button:focus,.ss--menu__item--button:hover{background:#247a4e}.ss--menu__item--button:active{background:#216f46}.ss--menu__item--button .ss--menu__link{font-size:1.125rem;line-height:normal;padding:.6em 1.5em}.ss--menu__item--button .ss--menu__link:focus,.ss--menu__item--button .ss--menu__link:hover{opacity:1}.ss--menu__item--button .ss--menu__link--parent{color:#fff}.ss--menu__link{align-items:center;color:#fff;display:flex;font-size:1rem;letter-spacing:.09375rem;line-height:1;padding:.5em 1em;position:relative;text-decoration:none;z-index:2}.ss--menu__link:focus,.ss--menu__link:hover{opacity:.8}@media screen and (min-width:87.5em){.ss--menu__link{font-size:1.125rem}}.ss--menu__link>svg{font-size:1rem;height:1em;margin-left:.125rem;width:1em}.ss--menu__link--parent{color:#2a8e5a}.ss--menu-icon{align-items:center;background:none;border:0;display:flex;font-size:3.125rem;overflow:visible;padding:0}.ss--menu-icon svg{font-size:var(--header-button-size);height:1em;width:1em}.ss--menu-item{display:block;margin:0;position:relative}.ss--menu-item__back,.ss--menu-item__icon{height:1em}.ss--menu-item__back{margin-right:.5rem}.ss--menu-item a,.ss--menu-item button{padding:.5rem 0}.ss--menu-item--is-mobile a,.ss--menu-item--is-mobile button{font-weight:600;padding:.75rem 0}.ss--menu-item--is-mobile a>span,.ss--menu-item--is-mobile button>span{align-items:center;display:flex;justify-content:space-between}.ss--menu-item--is-mobile a>span>span,.ss--menu-item--is-mobile button>span>span{align-items:center;display:flex}.ss--menu-item--is-mobile a>span svg,.ss--menu-item--is-mobile button>span svg{font-size:2rem}.ss--menu-item--is-back a>span,.ss--menu-item--is-back button>span{justify-content:normal;margin-left:-.42857rem}.ss--menu-item--is-back a>span>span,.ss--menu-item--is-back button>span>span{line-height:1;margin-left:.375rem}.ss--menu-item--is-back .ss--menu-item--current{--button-bg-color:#fff}.ss--menu-item--current{--button-bg-color:#2a8e5a}.ss--pagination{align-items:center;display:flex;justify-content:space-between;margin:0 auto;max-width:73.125rem;padding:0 1.25rem}@media screen and (min-width:75em){.ss--pagination{justify-content:normal;padding:0}}.ss--pagination__next,.ss--pagination__previous{align-items:center;display:flex}.ss--pagination a{color:#252a25}.ss--pagination a:not(:first-of-type):not(:last-of-type){padding:0 1.25rem}.ss--pagination a:first-of-type{padding:0 1.25rem 0 0}.ss--pagination a:last-of-type{padding:0 0 0 1.25rem}.ss--pagination a>svg{font-size:1.5rem;height:1em;width:1em}.ss--pagination a[aria-current]{color:#2a8e5a}.ss--post-card{background-color:#fff;border-radius:6px;display:flex;flex-direction:column;padding:1.25rem}.ss--post-card__tags{font-weight:300;margin-bottom:2rem}.ss--post-card__date,.ss--post-card__tags>a{font-weight:300}.ss--post-card__excerpt{flex-grow:1}.ss--post-card__title{color:#252a25}.ss--post-card--elevated{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--post-intro__date,.ss--post-intro__tags,.ss--post-intro__tags>a{font-weight:300}.ss--slider{margin:0 auto;max-width:49.25rem}.ss--slider input[type=range]{-moz-appearance:none;-webkit-appearance:none;background:#f1f3f4;border-radius:3px;height:6px;margin:.9375rem 0;outline:none;width:100%}.ss--slider input[type=range]::-webkit-slider-thumb{-webkit-appearance:none;background:linear-gradient(216.32794deg,#00bebe,#008a55);border-radius:50em;box-shadow:0 .1875rem .375rem 0 rgba(37,42,37,.08),0 .1875rem .375rem 0 rgba(37,42,37,.08);cursor:pointer;height:1rem;width:1rem}.ss--slider input[type=range]::-moz-range-thumb{-webkit-appearance:none;background:linear-gradient(216.32794deg,#00bebe,#008a55);border-radius:50em;box-shadow:0 .1875rem .375rem 0 rgba(37,42,37,.08),0 .1875rem .375rem 0 rgba(37,42,37,.08);cursor:pointer;height:1rem;width:1rem}.ss--slider input[type=range]::-ms-thumb{-webkit-appearance:none;background:linear-gradient(216.32794deg,#00bebe,#008a55);border-radius:50em;box-shadow:0 .1875rem .375rem 0 rgba(37,42,37,.08),0 .1875rem .375rem 0 rgba(37,42,37,.08);cursor:pointer;height:1rem;margin-top:0;width:1rem}.ss--slider__number{margin:0 auto;max-width:20%}.ss--slider__number input{-webkit-appearance:none;appearance:none;border:1px solid #252a25;border-radius:3px;box-sizing:border-box;display:block;height:2.8125rem;margin-top:.3125rem;padding:.75em 1em;width:100%}.ss--slider__number input:-ms-input-placeholder{opacity:.4}.ss--slider__number input::placeholder{opacity:.4}.ss--slider__price{padding-top:1.25rem}.ss--slider label{clip:rect(0,0,0,0)!important;border:0!important;height:1px!important;overflow:hidden!important;padding:0!important;position:absolute!important;white-space:nowrap!important;width:1px!important}.ss--share{color:#2a8e5a}.ss--share svg{font-size:2.1875rem;height:1em;width:1em}.ss--share svg:focus,.ss--share svg:hover{color:#247a4e}.ss--share button{align-items:center}.ss--share button:first-child:nth-last-child(n+4),.ss--share button:first-child:nth-last-child(n+4)~button{margin-top:1.25rem}.ss--share button:not(:last-child){margin-right:1.25rem}.ss--share__icons,.ss--share button{display:flex;flex-direction:row}.ss--share__icons{margin:auto 0}.ss--share__heading{color:#252a25;font-size:1.575rem;line-height:1.4;margin:0 0 .625rem}.ss--spacer{padding:1.25rem 0;position:relative}.ss--spacer--padding-double{padding:2.5rem 0}.ss--table{align-content:center;display:flex;margin:0;max-width:calc(100vw - 2.5rem);overflow-x:scroll;table-layout:fixed;text-align:left}@media screen and (min-width:75em){.ss--table{overflow:hidden}}.ss--table svg{fill:#2a8e5a}.ss--table table{border-collapse:collapse;margin:auto;width:100%}.ss--table thead{font-family:Monda,Arial,sans-serif;font-size:1.5rem;text-align:center}.ss--table thead th{border-bottom:2px solid #7a7a7a;font-weight:400;text-align:center}.ss--table td,.ss--table th{border-bottom:1px solid #f1f3f4;min-width:10rem;padding:1rem}@media print,screen and (min-width:64em){.ss--table td,.ss--table th{max-width:100%;min-width:2rem;white-space:normal}}.ss--table tbody{margin:0 1rem}.ss--table tbody tr{border-bottom:1px solid #7a7a7a}.ss--table tbody tr:last-of-type{border-bottom:unset}.ss--table tbody tr th:first-child{font-weight:600;text-align:left}@media print,screen and (min-width:64em){.ss--table tbody tr th:first-child{font-size:1.5rem}}.ss--table tbody tr td{text-align:center}.ss--table tfoot td{border-bottom:0}.ss--table__wrapper{margin:0 auto 1.25rem;max-width:90rem;padding:0;width:100%}.ss--table--widthsmall .ss--table__wrapper{max-width:48rem}.ss--table--width-medium .ss--table__wrapper{max-width:73.125rem}.ss--table--width-large .ss--table__wrapper{max-width:90rem}.ss--table--gutters{margin:auto;max-width:calc(100vw - 2.5rem)}.ss--testimonial{text-align:center}.ss--testimonial blockquote{margin:0 0 1.25rem}@media screen and (min-width:75em){.ss--testimonial blockquote{margin-bottom:1.25rem;margin-left:initial;margin-right:initial;margin-top:initial}}.ss--testimonial__citation cite{color:#252a25}.ss--testimonial__author{margin-bottom:.41667rem}.ss--testimonial__author,.ss--testimonial__company,.ss--testimonial__role{display:block}.ss--testimonial__company,.ss--testimonial__role{font-weight:400}.ss--testimonial__cite{margin-bottom:1.25rem}.ss--testimonial__image{margin:0 auto 1.25rem;width:6.25rem}.ss--testimonial__image img{border-radius:50em}.ss--textarea{padding-bottom:1.25rem}.ss--textarea textarea{-webkit-appearance:none;border:1px solid #252a25;border-radius:3px;box-sizing:border-box;display:block;margin-top:.3125rem;max-width:100%;min-height:11.25rem;min-width:100%;padding:.75em 1em}.ss--textarea textarea:-ms-input-placeholder{opacity:.4}.ss--textarea textarea::placeholder{opacity:.4}.ss--textarea label{clip:rect(0,0,0,0)!important;border:0!important;height:1px!important;overflow:hidden!important;padding:0!important;position:absolute!important;white-space:nowrap!important;width:1px!important}.ss--video{display:flex;flex-direction:column;justify-content:center;position:relative}.ss--video>div{height:0!important;overflow:hidden;padding-bottom:56.25%;padding-top:35px;position:relative;width:unset!important}.ss--video iframe{border-radius:6px;height:100%;left:0;position:absolute;top:0;width:100%}.ss--video--elevated>div{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--video-with-content{display:flex;flex-direction:column-reverse;gap:1.25rem;margin:0 auto;max-width:73.125rem}@media print,screen and (min-width:64em){.ss--video-with-content{display:grid;gap:2.5rem;grid-template-columns:repeat(2,1fr)}}.ss--video-with-content--gutters{padding-left:1.25rem;padding-right:1.25rem}@media screen and (min-width:75em){.ss--video-with-content--gutters{padding-left:0;padding-right:0}}.ss--video-with-content--video-left>div{grid-row:1/2}.ss--video-with-content--video-left>div:first-of-type{grid-column:2/3}.ss--video-with-content--video-left>div:last-of-type{grid-column:1/2}.ss--licenses-item{display:flex;flex-direction:column;height:100%;justify-content:space-between;padding:2.5rem;text-align:center}.ss--licenses-item a:not(.ss--button){color:currentColor;text-decoration:underline}.ss--licenses-item__heading{background-color:#f1f3f4;border-radius:3rem;color:#252a25;font-size:1rem;font-weight:400;margin:0 auto 1.5rem;max-width:12.5rem;padding:.625rem}.ss--licenses-item__price{font-size:3.25rem}.ss--licenses-item__badge{color:#00bfbe;font-family:Monda,Arial,sans-serif;font-size:.875em;font-weight:600;padding:.25em .5em;position:absolute;text-transform:uppercase;transform:translateX(-2rem) rotate(20deg)}.ss--licenses-item__description{font-size:1.125rem}.ss--licenses-item__features{font-size:1.125rem;list-style:none;margin:0;opacity:.64;padding:0}.ss--licenses-item__features li{margin-bottom:1rem}.ss--licenses-item__action{min-height:5.75rem}.ss--licenses-item__note{margin-top:.5rem}.ss--licenses-item--primary .ss--licenses-item__heading{background-color:#00bfbe;color:#fff}.ss--licenses-item--secondary .ss--licenses-item__heading{background-color:#252a25;color:#fff}.ss--licenses-item--free .ss--licenses-item__hero{padding-bottom:4rem}.ss--licenses-item--masked .ss--licenses-item__price{display:block;font-size:2rem;padding-bottom:1.25rem}.ss--licenses{grid-gap:1.25rem;display:grid;grid-template-columns:1fr;grid-template-rows:1fr;margin:0 auto;max-width:74.375rem}@media print,screen and (min-width:64em){.ss--licenses{grid-template-columns:1fr 2fr}}.ss--licenses a:not(.ss--button){color:currentColor;text-decoration:underline}.ss--licenses__item-heading{background-color:#00bfbe;border-radius:3rem;color:#fff;font-size:1rem;font-weight:400;margin:0 auto 1.5rem;max-width:12.5rem;padding:.625rem}.ss--licenses__item-description{font-size:1.125rem}.ss--licenses__item-features{font-size:1.125rem;list-style:none;opacity:.64;padding:0}.ss--licenses__item-features li{margin-bottom:1rem}.ss--licenses__item-note{margin-top:.5rem}.ss--licenses__paid{grid-gap:1.25rem;border-radius:6px;display:grid;grid-template-columns:1fr;grid-template-rows:1fr}@media print,screen and (min-width:43.75em){.ss--licenses__paid{grid-template-columns:1fr 1fr}}.ss--surface{border-radius:6px;height:100%}.ss--surface,.ss--surface--primary{background-image:linear-gradient(216.32794deg,#00bebe,#008a55)}.ss--surface--primary{color:#fff}.ss--surface--secondary{background:#252a25;color:#fff}.ss--surface--white{background:#fff}.ss--surface--default,.ss--surface--white{border:1px solid #252a25;box-shadow:inset 0 1px 63px 0 rgba(0,0,0,.05)}.ss--surface--default{background:#f1f3f4}.ss--surface--pattern{position:relative}.ss--surface--pattern:before{background:url("https://d33wubrfki0l68.cloudfront.net/44ac09e65d0ffb2ad8bd72ddd575ed5b476e0224/ce639/bg-pattern.svg") repeat-y 125% 50%;background-size:415px 580px;content:" ";display:block;inset:0;pointer-events:none;position:absolute}@media print,screen and (min-width:43.75em){.ss--surface--small-only{background:unset;border:unset;box-shadow:unset}}@media screen and (max-width:43.74875em){.ss--surface--medium-up{background:unset;border:unset;box-shadow:unset}}.ss--surface--elevated{box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.ss--card{text-align:center}.ss--card__content{padding:2.5rem}.ss--document-cta__title,h2,h3{line-height:1.25;margin-bottom:1.25rem}.ss--document-cta__title,h2{font-size:2rem}.ss--document-cta{margin:0 auto;max-width:74.375rem;overflow:hidden}@media print,screen and (min-width:64em){.ss--document-cta{padding-top:4rem}}.ss--document-cta__wrapper{grid-column-gap:1.25rem;display:grid;grid-template-columns:1fr;grid-template-rows:1fr;padding:2.5rem}@media print,screen and (min-width:64em){.ss--document-cta__wrapper{grid-template-columns:3.5fr 3fr}}.ss--document-cta__cover{display:none;position:relative}@media print,screen and (min-width:64em){.ss--document-cta__cover{display:block}}.ss--document-cta__cover:after{background:#252a25;bottom:calc(-2.5rem - 1px);content:"";display:block;height:1px;position:absolute;width:100%;z-index:10}.ss--document-cta__content{padding-bottom:1.25rem}.ss--document-cta__paper{background:#fff;border:1px solid #252a25;border-radius:3px;box-shadow:calc(2rem - 1px) calc(2rem + 1px) 0 0 #f5f5f5,2rem 2rem 0 0 #252a25,2rem 2.1875rem .375rem 0 rgba(37,42,37,.12),2rem 2.1875rem 2.375rem 0 rgba(37,42,37,.12);left:2rem;padding:1.25rem;position:absolute;right:2rem;top:-6rem;transition:transform .25s ease;z-index:10}:hover>div>.ss--document-cta__paper{transform:translateY(-.25rem)}.ss--document-cta__body{font-size:1.25rem}.ss--document-cta__cover-title{position:relative}.ss--document-cta__cover-title h3{margin-bottom:0}.ss--swatch{text-align:center}.ss--swatch__content{padding:1.25rem}.ss--swatch__sample{aspect-ratio:1/1}.ss--notification{align-items:center;display:flex;flex-direction:row;justify-content:space-around;position:relative}.ss--notification a,.ss--notification button{color:currentColor}.ss--notification button{background:transparent;border:0;bottom:0;left:0;padding:.625rem;position:absolute;top:0}.ss--notification__content{align-items:center;display:flex;flex-direction:row;margin:auto;padding:.625rem 2.5rem;text-align:center}.ss--notification__title{font-family:Monda,Arial,sans-serif;line-height:1}.ss--notification__button{display:inline-flex}.ss--notification__cta{font-family:Monda,Arial,sans-serif;line-height:1;margin-left:.5rem}.ss--notification__icon{height:1rem;margin-left:.5rem;width:1rem}.ss--notification--default{background-color:#fff;color:#252a25}.ss--notification--default .ss--notification__cta,.ss--notification--default .ss--notification__icon{color:#2a8e5a}.ss--notification--accent{background-color:#00bfbe;color:#fff}.ss--notification--primary{background-color:#2a8e5a;color:#fff}.ss--notification--alert{background-color:#d85d5d;color:#fff}.ss--notification--warning{background-color:#d8b85d;color:#fff}*{box-sizing:border-box}body{margin:0;overflow-x:hidden}main{display:block}hr{box-sizing:content-box;height:0;overflow:visible}pre{font-family:monospace,monospace;font-size:1em}a{background-color:transparent}abbr[title]{border-bottom:none;text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted}b,strong{font-weight:bolder}code,kbd,samp{font-family:monospace,monospace;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}img{border-style:none}form{margin:0}button,input,optgroup,select,textarea{font-family:inherit;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring,button:-moz-focusring{outline:1px dotted ButtonText}fieldset{padding:.35em .75em .625em}legend{box-sizing:border-box;color:inherit;display:table;max-width:100%;padding:0;white-space:normal}progress{vertical-align:baseline}textarea{overflow:auto}[type=checkbox],[type=radio]{box-sizing:border-box;padding:0}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details{display:block}summary{display:list-item}[hidden],template{display:none}:root{--primary-color:#2a8e5a}:export{primaryColor:#2a8e5a;secondaryColor:#252a25;accentColor:#00bfbe;errorColor:#d85d5d;warningColor:#d8b85d;black:#252a25;white:#fff;lightGray:#f1f3f4;darkGray:#7a7a7a;primaryGradient:linear-gradient(216.32794deg,#00bebe,#008a55);mediumBreakpoint:700px;xlargeBreakpoint:1200px;xxlargeBreakpoint:1400px}body{color:#252a25;font-family:IBM Plex Sans,Arial,sans-serif}h1,h2,h3,h4,h5,h6{font-family:Monda,Arial,sans-serif;font-weight:700}h1,h2,h3,h4,h5,h6,p{margin-top:0}h1{font-size:2.625rem;line-height:1.4;margin-bottom:1.6625rem}h2,h3{line-height:1.25;margin-bottom:1.25rem}h2{font-size:2rem}h3{font-size:1.575rem;line-height:1.4}h4{font-size:1rem;letter-spacing:.065em;line-height:1.66rem}a{text-decoration:none}blockquote,cite,p{line-height:1.5}blockquote{font-size:1.3125rem;font-style:italic;font-weight:400;margin-top:0}cite{font-size:1.125rem;font-style:normal;font-weight:600}figcaption{font-size:.875rem;margin-bottom:1rem}figcaption,label,p{font-weight:300}ol{margin:0;padding:0 0 0 1rem}pre{padding:1.25rem}p code,pre{background:#f1f3f4;font-size:.875rem;margin-top:0;overflow:scroll}p code{padding:.625rem 1.25rem}abbr[title]{text-decoration:none}hr{margin-bottom:2.5rem;margin-top:2.5rem;min-width:4rem}strong{font-weight:600}:root{--layout-sidebar-bg:rgba(37,42,37,.9)}.layout__sidebar{-webkit-font-smoothing:antialiased;background-color:var(--layout-sidebar-bg);z-index:15}.layout__sidebar,.modal{bottom:0;color:#fff;left:0;position:fixed;right:0;top:0}.modal__loading{inset:0;margin:auto;position:absolute;z-index:-1}.modal__error{background-color:red;border-radius:.5rem;bottom:auto;display:inline-block;inset:0;margin:6rem auto auto;max-width:25rem;padding:1rem;position:absolute;text-align:center}.modal__error p:last-child{margin-bottom:0}.modal__close{align-items:center;background:none;border:0;color:currentColor;display:flex;position:absolute;right:1rem;top:1rem}.headroom{left:0;right:0;top:0;will-change:transform;z-index:20}.headroom-wrapper--sidebar .headroom{position:fixed;transform:translateY(-100%)}.headroom--unfixed{position:relative;transform:none}.layout--transparent-header .headroom--unfixed{position:absolute}.headroom--scrolled{transition:transform .2s ease-in-out,background-color 1ms linear}.headroom--unpinned{position:fixed;transform:translate3d(0,-100%,0)}.headroom--pinned{position:fixed;transform:translateZ(0)}.layout--transparent-header .headroom-wrapper{left:0;position:absolute;right:0;top:0}</style><meta name="generator" content="Gatsby 3.14.5" /><title data-react-helmet>Linux Stealth Rootkit Malware with EDR Evasion</title><link data-react-helmet rel="apple-touch-icon" sizes="57x57" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=57&amp;h=57" /><link data-react-helmet rel="apple-touch-icon" sizes="60x60" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=60&amp;h=60" /><link data-react-helmet rel="apple-touch-icon" sizes="72x72" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=72&amp;h=72" /><link data-react-helmet rel="apple-touch-icon" sizes="76x76" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=76&amp;h=76" /><link data-react-helmet rel="apple-touch-icon" sizes="114x114" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=114&amp;h=114" /><link data-react-helmet rel="apple-touch-icon" sizes="120x120" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=120&amp;h=120" /><link data-react-helmet rel="apple-touch-icon" sizes="144x144" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=144&amp;h=144" /><link data-react-helmet rel="apple-touch-icon" sizes="152x152" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=152&amp;h=152" /><link data-react-helmet rel="apple-touch-icon" sizes="180x180" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=180&amp;h=180" /><link data-react-helmet rel="icon" sizes="16x16" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=16&amp;h=16" type="image/svg" /><link data-react-helmet rel="icon" sizes="32x32" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=32&amp;h=32" type="image/svg" /><link data-react-helmet rel="icon" sizes="96x96" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=96&amp;h=96" type="image/svg" /><link data-react-helmet rel="icon" sizes="192x192" href="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=192&amp;h=192" type="image/svg" /><link data-react-helmet rel="alternate" type="application/rss+xml" title="RSS Feed for sandflysecurity.com" href="/blog/rss.xml" /><meta data-react-helmet name="msapplication-square70x70" content="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=70&amp;h=70" /><meta data-react-helmet name="msapplication-square150x150" content="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=150&amp;h=150" /><meta data-react-helmet name="msapplication-square310x310" content="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=310&amp;h=310" /><meta data-react-helmet name="msapplication-square310x150" content="https://www.datocms-assets.com/56687/1634009075-icon.svg?w=310&amp;h=150" /><meta data-react-helmet name="application-name" content="Sandfly Security" /><meta data-react-helmet name="format-detection" content="telephone=no" /><meta data-react-helmet property="og:title" content="Linux Stealth Rootkit Malware with EDR Evasion" /><meta data-react-helmet name="twitter:title" content="Linux Stealth Rootkit Malware with EDR Evasion" /><meta data-react-helmet name="description" content="Sandfly detects Linux stealth malware which was able to evade other Linux EDR solutions." /><meta data-react-helmet property="og:description" content="Sandfly detects Linux stealth malware which was able to evade other Linux EDR solutions." /><meta data-react-helmet name="twitter:description" content="Sandfly detects Linux stealth malware which was able to evade other Linux EDR solutions." /><meta data-react-helmet name="twitter:site" content="@https://twitter.com/sandflysecurity" /><meta data-react-helmet name="twitter:card" content="summary" /><meta data-react-helmet property="article:modified_time" content="2021-12-13T22:44:54Z" /><meta data-react-helmet property="article:published_time" content="2021-11-29T03:00:00Z" /><meta data-react-helmet property="og:locale" content="en_EN" /><meta data-react-helmet property="og:type" content="article" /><meta data-react-helmet property="og:site_name" content="Sandfly Security" /><meta data-react-helmet property="og:image" content="https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?w=1000&amp;fit=max&amp;fm=jpg" /><meta data-react-helmet name="twitter:image" content="https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?w=1000&amp;fit=max&amp;fm=jpg" /><style>.gatsby-image-wrapper{position:relative;overflow:hidden}.gatsby-image-wrapper picture.object-fit-polyfill{position:static!important}.gatsby-image-wrapper img{bottom:0;height:100%;left:0;margin:0;max-width:none;padding:0;position:absolute;right:0;top:0;width:100%;object-fit:cover}.gatsby-image-wrapper [data-main-image]{opacity:0;transform:translateZ(0);transition:opacity .25s linear;will-change:opacity}.gatsby-image-wrapper-constrained{display:inline-block;vertical-align:top}</style><noscript><style>.gatsby-image-wrapper noscript [data-main-image]{opacity:1!important}.gatsby-image-wrapper [data-placeholder-image]{opacity:0!important}</style></noscript><script type="module">const e="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;e&&document.body.addEventListener("load",(function(e){if(void 0===e.target.dataset.mainImage)return;if(void 0===e.target.dataset.gatsbyImageSsr)return;const t=e.target;let a=null,n=t;for(;null===a&&n;)void 0!==n.parentNode.dataset.gatsbyImageWrapper&&(a=n.parentNode),n=n.parentNode;const o=a.querySelector("[data-placeholder-image]"),r=new Image;r.src=t.currentSrc,r.decode().catch((()=>{})).then((()=>{t.style.opacity=1,o&&(o.style.opacity=0,o.style.transition="opacity 500ms linear")}))}),!0);</script><link rel="preload" as="font" type="font/woff2" crossOrigin="anonymous" href="/static/webfonts/s/ibmplexsans/v9/zYX-KVElMYYaJe8bpLHnCwDKhdTuF6ZJ.woff2" /><link rel="preload" as="font" type="font/woff2" crossOrigin="anonymous" href="/static/webfonts/s/ibmplexsans/v9/zYXgKVElMYYaJe8bpLHnCwDKhdHeFQ.woff2" /><link rel="preload" as="font" type="font/woff2" crossOrigin="anonymous" href="/static/webfonts/s/ibmplexsans/v9/zYX9KVElMYYaJe8bpLHnCwDKjQ76AIFsdA.woff2" /><link rel="preload" as="font" type="font/woff2" crossOrigin="anonymous" href="/static/webfonts/s/monda/v11/TK3tWkYFABsmjsphPho.woff2" /><link rel="preload" as="font" type="font/woff2" crossOrigin="anonymous" href="/static/webfonts/s/monda/v11/TK3gWkYFABsmjsLaGw8Eneo.woff2" /><style>@font-face{font-display:swap;font-family:IBM Plex Sans;font-style:italic;font-weight:400;src:url("https://d33wubrfki0l68.cloudfront.net/e0de04d45de9f46bd2a4fcb716907b9d316b3a2b/79803/static/webfonts/s/ibmplexsans/v9/zyx-kvelmyyaje8bplhncwdkhdtuf6zj.woff2") format("woff2")}@font-face{font-display:swap;font-family:IBM Plex Sans;font-style:normal;font-weight:400;src:url("https://d33wubrfki0l68.cloudfront.net/141e69b4f344ea6895e4964de782d7fec1130a92/21aa8/static/webfonts/s/ibmplexsans/v9/zyxgkvelmyyaje8bplhncwdkhdhefq.woff2") format("woff2")}@font-face{font-display:swap;font-family:IBM Plex Sans;font-style:normal;font-weight:600;src:url("https://d33wubrfki0l68.cloudfront.net/28183bbea4461ca2801ba9f203fbdd382121cec0/0af57/static/webfonts/s/ibmplexsans/v9/zyx9kvelmyyaje8bplhncwdkjq76aifsda.woff2") format("woff2")}@font-face{font-display:swap;font-family:IBM Plex Sans;font-style:italic;font-weight:400;src:url("https://d33wubrfki0l68.cloudfront.net/3b11215aeff09af4943cf051bf076c26692e8aac/f43fc/static/webfonts/s/ibmplexsans/v9/zyx-kvelmyyaje8bplhncwdkhdtuf6zp.woff") format("woff")}@font-face{font-display:swap;font-family:IBM Plex Sans;font-style:normal;font-weight:400;src:url("https://d33wubrfki0l68.cloudfront.net/37cec34425d5b15f1e5f3a5c89c9c07a8424a06e/03519/static/webfonts/s/ibmplexsans/v9/zyxgkvelmyyaje8bplhncwdkhdheew.woff") format("woff")}@font-face{font-display:swap;font-family:IBM Plex Sans;font-style:normal;font-weight:600;src:url("https://d33wubrfki0l68.cloudfront.net/61c4901a4e0884801fe635207f9193bb0c0a6319/8b46b/static/webfonts/s/ibmplexsans/v9/zyx9kvelmyyaje8bplhncwdkjq76aifscg.woff") format("woff")}@font-face{font-display:swap;font-family:Monda;font-style:normal;font-weight:400;src:url("https://d33wubrfki0l68.cloudfront.net/6eb641c4850544be55d8ef49c8dcef41d37bc304/2d3b1/static/webfonts/s/monda/v11/tk3twkyfabsmjsphpho.woff2") format("woff2")}@font-face{font-display:swap;font-family:Monda;font-style:normal;font-weight:700;src:url("https://d33wubrfki0l68.cloudfront.net/58577b2347a7f49eeab2e47551b3a34e4a14dbf8/d8517/static/webfonts/s/monda/v11/tk3gwkyfabsmjslagw8eneo.woff2") format("woff2")}@font-face{font-display:swap;font-family:Monda;font-style:normal;font-weight:400;src:url("https://d33wubrfki0l68.cloudfront.net/d0b444f45c889a5824047c910eb1257b1b61affd/82018/static/webfonts/s/monda/v11/tk3twkyfabsmjsphphw.woff") format("woff")}@font-face{font-display:swap;font-family:Monda;font-style:normal;font-weight:700;src:url("https://d33wubrfki0l68.cloudfront.net/3e62a737939f86e5571db04dafd7cc13516bd96e/39425/static/webfonts/s/monda/v11/tk3gwkyfabsmjslagw8enew.woff") format("woff")}</style><link rel="sitemap" type="application/xml" href="/sitemap/sitemap-index.xml" /><link rel="alternate" type="application/rss+xml" title="Sandfly Security Blog RSS Feed" href="/blog/rss.xml" /><link rel="preconnect" href="https://www.googletagmanager.com" /><link rel="dns-prefetch" href="https://www.googletagmanager.com" /><link as="script" rel="preload" href="/webpack-runtime-879b79453e276ef30ce2.js" /><link as="script" rel="preload" href="/framework-c263438ac2c988728477.js" /><link as="script" rel="preload" href="/252f366e-b322fa72583b59061ed4.js" /><link as="script" rel="preload" href="/545f34e4-72cf32f6098a825aca20.js" /><link as="script" rel="preload" href="/1bfc9850-31218c3c985bbd75ceed.js" /><link as="script" rel="preload" href="/0c428ae2-077c794f033ffcb85804.js" /><link as="script" rel="preload" href="/d7eeaac4-9383b673d380ff69a85f.js" /><link as="script" rel="preload" href="/dc6a8720040df98778fe970bf6c000a41750d3ae-dd93728800e4a0b477f1.js" /><link as="script" rel="preload" href="/app-132ada53c3c9e9f3531c.js" /><link as="script" rel="preload" href="/commons-cdf8d21da97b7f8c3277.js" /><link as="script" rel="preload" href="/component---src-templates-post-tsx-ae335e01da7e1c5f3255.js" /><link as="fetch" rel="preload" href="/page-data/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/page-data.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/1073642445.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/1103654681.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/1530575845.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/1815332591.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/2060295489.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/2461549756.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/3075835065.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/3889418360.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/3948011046.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/sq/d/717698143.json" crossOrigin="anonymous" /><link as="fetch" rel="preload" href="/page-data/app-data.json" crossOrigin="anonymous" /></head><body><div id="___gatsby"><div style="outline: none;" tabIndex="-1" id="gatsby-focus-wrapper"><div id="layout" class="layout"><div data-focus-guard tabIndex="-1" style="width: 1px; height: 0px; padding: 0px; overflow: hidden; position: fixed; top: 1px; left: 1px;"></div><div data-focus-guard tabIndex="-1" style="width: 1px; height: 0px; padding: 0px; overflow: hidden; position: fixed; top: 1px; left: 1px;"></div><div data-focus-lock-disabled="disabled" data-focus-lock="sidebar"><div class="headroom-wrapper"><div class="headroom headroom--unfixed"><header class="ss--header"><div><div class="ss--notification ss--notification--default"><a href="/blog/sandfly-security-is-not-vulnerable-to-log4j-exploit/"><div class="ss--notification__content"><div class="ss--notification__title">Sandfly Security Not Vulnerable to the Log4j Exploit.<span class="ss--notification__button"><div class="ss--notification__cta">Learn More</div><div class="ss--notification__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 16 16" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" d="M1 8a.5.5 0 0 1 .5-.5h11.793l-3.147-3.146a.5.5 0 0 1 .708-.708l4 4a.5.5 0 0 1 0 .708l-4 4a.5.5 0 0 1-.708-.708L13.293 8.5H1.5A.5.5 0 0 1 1 8z"></path></svg></div></span></div></div></a><button aria-label="Close Notification"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0V0z"></path><path d="M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"></path></svg></button></div></div><div class="ss--header__top"><div class="ss--header__container"><div class="ss--header__wrapper"><a class="ss--header__link ss--header__link--parent" href="/blog/">Blog</a><a href="https://support.sandflysecurity.com/support/home" class="ss--header__link">Support</a><a class="ss--header__link" href="/contact-us/">Contact Us</a></div></div></div><div class="ss--header__container"><div class="ss--header__wrapper"><div class="ss--header__logo"><a title="Sandfly Security Logo" href="/"><div class="ss--logo"><svg xmlns="http://www.w3.org/2000/svg" xmlnsXlink="http://www.w3.org/1999/xlink" viewBox="0 0 346 111"><defs><linearGradient x1="25.173%" y1="55.138%" x2="3.088%" y2="48.072%" id="b"><stop stop-color="#3FB183" offset="0%"></stop><stop stop-color="#1BACA2" offset="100%"></stop></linearGradient><path d="M30.066 86.666a1.047 1.047 0 0 1 1.325.663l5.214 15.655 9.805 5.488a1.048 1.048 0 0 1-1.023 1.827l-10.158-5.686a1.048 1.048 0 0 1-.483-.582L29.404 87.99a1.047 1.047 0 0 1 .662-1.324Zm12.319-7.747c.34-.213.772-.213 1.11 0l9.33 5.84c.41.257.592.763.437 1.222l-3.065 9.085 10.68 5.709 4.486-13.447a1.048 1.048 0 0 1 1.987.663l-4.878 14.623c-.02.056-.043.11-.07.162l-.008.01a1.024 1.024 0 0 1-.153.211l-.017.02a1.15 1.15 0 0 1-.13.112l-6.853 4.992a1.053 1.053 0 0 1-1.105.079l-10.951-5.771a2.77 2.77 0 1 1 1.173-1.749l10.178 5.364 4.976-3.625-11.084-5.924a1.046 1.046 0 0 1-.5-1.258l3.085-9.142-8.072-5.054-6.126 3.836a1.048 1.048 0 0 1-1.112-1.775l6.682-4.183Zm19-56.087c.337-.014.656.131.865.392l5.442 6.803c.288.36.307.865.047 1.246l-6.655 9.72 1.15 8.128 8.477 5.308c.253.159.427.418.477.713l2.147 12.737a2.768 2.768 0 0 1-.732 5.439 2.77 2.77 0 0 1-1.35-5.189l-2.052-12.175-8.491-5.316a1.046 1.046 0 0 1-.481-.741l-1.276-9.013a1.053 1.053 0 0 1 .173-.738l6.447-9.417-4.06-5.075-8.993 13.595 4.879 34.49 37.367 23.395-13.6-45.4a2.769 2.769 0 1 1 3.123-2.745c0 .901-.432 1.7-1.098 2.205l14.378 48.002a1.05 1.05 0 0 1-1.003 1.348c-.192 0-.385-.053-.555-.16L55.874 75.256a1.049 1.049 0 0 1-.481-.741l-3.395-24.007h-6.441L42.16 74.515c-.043.306-.22.577-.481.741L1.544 100.384A1.047 1.047 0 0 1 0 99.844v-.701l14.364-47.948a2.765 2.765 0 0 1-1.093-2.015l-.006-.191a2.77 2.77 0 1 1 3.123 2.745l-13.6 45.4 37.368-23.395 4.879-34.49-8.993-13.595-4.061 5.075 6.447 9.417c.147.215.209.479.173.738l-1.275 9.013c-.043.306-.22.577-.481.741l-8.492 5.316L26.3 68.13a2.77 2.77 0 1 1-2.081-.251l2.147-12.737c.049-.295.223-.554.477-.713l8.477-5.308 1.149-8.128-6.654-9.72c-.26-.38-.242-.886.046-1.246l5.442-6.803a1.05 1.05 0 0 1 1.69.076L47 38.424c.14.213.2.471.164.725l-1.41 9.963H51.8l-1.41-9.964c-.036-.253.023-.51.164-.724L60.559 23.3c.185-.279.492-.453.826-.468ZM49.027 73.585a2.77 2.77 0 0 1 2.716 3.316l9.739 6.098c.41.258.59.763.437 1.222l-3.278 9.716a1.049 1.049 0 0 1-1.985-.67l3.014-8.931-9.086-5.689a2.77 2.77 0 1 1-1.557-5.062Zm-23.63-39.068a2.77 2.77 0 0 1 .265 5.527L14.329 77.88l2.408 4.245 15.267-9.559 2.229-15.753a1.047 1.047 0 1 1 2.073.294L34.01 73.341c-.043.306-.22.577-.481.741L16.92 84.48a1.048 1.048 0 0 1-1.466-.371l-3.168-5.585a1.05 1.05 0 0 1-.093-.817l11.463-38.266a2.77 2.77 0 0 1 1.74-4.924h.001Zm46.76 0a2.77 2.77 0 0 1 1.74 4.924L85.36 77.707a1.05 1.05 0 0 1-.092.817l-3.17 5.585a1.047 1.047 0 0 1-1.465.371L64.026 74.082a1.05 1.05 0 0 1-.482-.741l-2.302-16.277a1.048 1.048 0 0 1 2.074-.294l2.234 15.796 15.267 9.559 2.409-4.245-11.334-37.836a2.77 2.77 0 0 1 .266-5.527h-.001ZM57.938 18.05c.32.214.407.647.193.968l-8.655 12.957a.696.696 0 0 1-.58.31h-.001a.7.7 0 0 1-.581-.313L39.73 19.016a.698.698 0 0 1 1.163-.771l4.118 6.215 4.136-6.139a.72.72 0 0 1 1.194.801l-4.471 6.635 3.027 4.57 8.072-12.084a.698.698 0 0 1 .968-.193h.001ZM50.63 0c.316 0 .616.143.815.389l6.168 7.623a3.464 3.464 0 1 1-2.171 3.938h-13.33a3.462 3.462 0 1 1-2.151-3.927l6.105-7.63c.198-.248.499-.393.817-.393h3.747Zm-.501 2.094h-2.742l-5.788 7.235c.245.365.422.779.514 1.225h13.329c.093-.453.276-.873.528-1.243l-5.841-7.217Z" id="a"></path></defs><g fill="none" fill-rule="evenodd"><mask id="c" fill="#fff"><use xlink:href="#a"></use></mask><polygon fill="url(#b)" fill-rule="nonzero" mask="url(#c)" points=".001 110.433 345.182 110.433 345.182 0 .001 0"></polygon><path d="M141.387 30.594h-6.768a5.984 5.984 0 0 1-.054-.652c-.161-1.783-.615-2.904-1.364-3.361-.75-.457-2.515-.686-5.297-.686-3.282 0-5.426.263-6.433.791-1.008.527-1.512 1.636-1.512 3.326 0 2.001.41 3.203 1.23 3.606.82.403 3.532.713 8.133.93 5.44.264 8.957.939 10.553 2.024 1.597 1.086 2.395 3.342 2.395 6.769 0 4.219-.937 6.944-2.81 8.177-1.872 1.233-6.001 1.85-12.385 1.85-5.743 0-9.555-.605-11.436-1.815-1.882-1.21-2.823-3.66-2.823-7.351l-.027-1.163h6.742l.027.675c0 2.217.445 3.575 1.337 4.071.89.496 3.326.744 7.303.744 3.104 0 5.083-.287 5.939-.861.857-.573 1.284-1.899 1.284-3.978 0-1.535-.325-2.555-.976-3.058-.651-.504-2.056-.811-4.213-.919l-3.826-.21c-5.778-.294-9.47-.992-11.075-2.093-1.605-1.101-2.408-3.467-2.408-7.095 0-3.707.967-6.177 2.902-7.409 1.935-1.234 5.8-1.85 11.597-1.85 5.494 0 9.194.566 11.102 1.698 1.908 1.132 2.863 3.342 2.863 6.63v1.21m26.19 11.957-6.314-16.54-6.206 16.54h12.52Zm1.605 4.443h-15.757l-2.274 6.094h-7.33l12.145-31.753h10.407l12.332 31.753h-7.196l-2.327-6.094Zm46.575-25.659v31.753h-11.744L193.58 35.665c-.517-.868-1.33-2.388-2.435-4.56l-1.177-2.279-1.15-2.28h-.268l.108 2.094.08 2.07.053 4.164v18.214h-6.93V21.335h11.745l9.497 16.098c.838 1.427 1.81 3.156 2.916 5.187l1.392 2.582 1.39 2.606h.24l-.16-4.094-.052-4.095V21.335h6.928m13.349 26.682h9.87c3.318 0 5.463-.663 6.436-1.989.97-1.326 1.457-4.253 1.457-8.781 0-4.684-.437-7.661-1.311-8.933-.874-1.272-2.925-1.908-6.153-1.908h-10.3v21.611h.001Zm-6.93 5.071V21.335h17.952c5.1 0 8.67.97 10.714 2.908 2.042 1.939 3.063 5.335 3.063 10.189 0 7.925-.821 13.015-2.461 15.272-1.641 2.256-5.342 3.384-11.102 3.384h-18.166Z" fill="currentColor" fill-rule="nonzero"></path><polyline fill="currentColor" fill-rule="nonzero" points="265.89 26.406 265.89 34.967 282.262 34.967 282.262 40.038 265.89 40.038 265.89 53.088 258.961 53.088 258.961 21.335 283.145 21.335 283.145 26.406 265.89 26.406"></polyline><polyline fill="currentColor" fill-rule="nonzero" points="294.3 21.335 294.3 47.692 311.421 47.692 311.421 53.088 287.371 53.088 287.371 21.335 294.3 21.335"></polyline><path d="m345.182 21.335-13.536 19.634v12.119h-6.93V40.969l-13.161-19.634h8.026l5.51 8.375c.303.465.82 1.326 1.552 2.582l.776 1.279.749 1.28h.187l1.552-2.559c.66-1.148 1.186-2.008 1.578-2.582l5.564-8.375h8.133M135.445 70.434h-3.46c0-2.163-.413-3.536-1.242-4.119-.83-.583-2.781-.875-5.855-.875-3.648 0-6 .279-7.054.836-1.055.557-1.583 1.799-1.583 3.725 0 2.163.415 3.48 1.244 3.952.829.471 3.293.793 7.393.963 4.807.184 7.863.714 9.167 1.592 1.303.878 1.956 2.844 1.956 5.898 0 3.302-.751 5.439-2.25 6.408-1.5.97-4.812 1.455-9.936 1.455-4.446 0-7.404-.488-8.873-1.465-1.47-.976-2.205-2.945-2.205-5.907l-.022-1.199h3.459v.668c0 2.399.422 3.89 1.266 4.473.844.583 3.007.874 6.488.874 3.994 0 6.45-.291 7.37-.874.919-.583 1.379-2.14 1.379-4.669 0-1.638-.313-2.729-.938-3.273-.626-.544-1.933-.868-3.923-.973l-3.617-.158-3.436-.157c-5.23-.315-7.845-2.674-7.845-7.077 0-3.054.76-5.092 2.284-6.114 1.522-1.022 4.559-1.533 9.11-1.533 4.612 0 7.619.475 9.02 1.425 1.403.951 2.103 2.991 2.103 6.124" fill="currentColor" fill-rule="nonzero"></path><polyline fill="currentColor" fill-rule="nonzero" points="147.893 65.716 147.893 74.857 163.561 74.857 163.561 77.412 147.893 77.412 147.893 87.438 164.239 87.438 164.239 89.994 144.413 89.994 144.413 63.16 164.239 63.16 164.239 65.716 147.893 65.716"></polyline><path d="M194.412 81.03h3.459v1.022c0 3.656-.716 5.94-2.147 6.851-1.433.911-5.035 1.366-10.807 1.366-5.17 0-8.455-.803-9.857-2.408-1.401-1.605-2.102-5.383-2.102-11.333 0-4.652.158-7.578.474-8.778.317-1.199 1.222-2.27 2.713-3.214 1.748-1.101 5.524-1.651 11.327-1.651 3.933 0 6.582.531 7.946 1.592 1.364 1.062 2.046 3.113 2.046 6.153l.022.728h-3.458l-.023-.826c0-2.162-.403-3.551-1.21-4.168-.806-.616-2.626-.924-5.46-.924-4.973 0-8.01.361-9.11 1.082-1.1.72-1.65 2.719-1.65 5.995 0 7.536.369 11.953 1.107 13.25.739 1.298 3.264 1.946 7.574 1.946 4.1 0 6.658-.281 7.675-.845 1.017-.563 1.527-1.978 1.527-4.246l-.046-1.592m33.835-17.87h3.482v18.794c0 3.407-.788 5.645-2.363 6.713-1.575 1.068-4.88 1.602-9.913 1.602-4.718 0-7.924-.514-9.62-1.543-1.695-1.029-2.542-2.985-2.542-5.868V63.16h3.48v18.794c0 2.542.476 4.138 1.425 4.786.95.649 3.286.973 7.008.973 4.039 0 6.556-.317 7.55-.953.996-.636 1.493-2.238 1.493-4.806V63.16m18.282 13.407h10.06c2.652 0 4.46-.35 5.425-1.052.965-.7 1.447-2.021 1.447-3.961 0-2.424-.358-4.003-1.073-4.738-.716-.733-2.25-1.1-4.601-1.1h-11.258v10.851Zm-3.482 13.427V63.16h14.695c3.316 0 5.652.57 7.008 1.71 1.357 1.14 2.035 3.12 2.035 5.937 0 2.477-.37 4.204-1.108 5.18-.74.977-2.148 1.609-4.227 1.897v.059c3.27.21 4.905 1.94 4.905 5.19v6.861h-3.481v-6.173c0-3.132-1.56-4.698-4.68-4.698h-11.665v10.871h-3.482Z" fill="currentColor" fill-rule="nonzero"></path><polygon fill="currentColor" fill-rule="nonzero" points="277.357 89.994 280.839 89.994 280.839 63.16 277.357 63.16"></polygon><polyline fill="currentColor" fill-rule="nonzero" points="303.008 65.971 303.008 89.994 299.527 89.994 299.527 65.971 289.467 65.971 289.467 63.16 312.978 63.16 312.978 65.971 303.008 65.971"></polyline><path d="m344.892 63.16-11.665 15.628v11.206h-3.482V78.788L318.374 63.16h4.046l6.624 9.063 1.266 1.749c.166.21.377.498.633.865l.61.885h.09l.612-.885.61-.865 1.289-1.749 6.6-9.063h4.138" fill="currentColor" fill-rule="nonzero"></path></g></svg></div></a></div><div class="ss--header__menu"><nav><ul class="ss--menu__list"><li class="ss--menu__item"><button aria-haspopup="true" aria-controls="menu-0-box" aria-expanded="false" id="menu-0-button" tabIndex="0" class="ss--menu__toggle"><span class="ss--menu__link">Platform<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M16.59 8.59L12 13.17 7.41 8.59 6 10l6 6 6-6z"></path></svg></span><div aria-labelledby="menu-0-button" id="menu-0-box" class="ss--drop-down ss--drop-down--closed"><ul class="ss--drop-down__list" style="opacity: 0; transform: translateY(-32px) translateZ(0);"><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/platform/why-sandfly/"><span><span>Why Sandfly?</span></span></a></li><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/platform/how-sandfly-works/"><span><span>How Sandfly Works</span></span></a></li><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/platform/threats-detected/"><span><span>Linux Threats Detected</span></span></a></li><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/platform/walk-through/"><span><span>Walk Through</span></span></a></li></ul></div></button></li><li class="ss--menu__item"><button aria-haspopup="true" aria-controls="menu-1-box" aria-expanded="false" id="menu-1-button" tabIndex="0" class="ss--menu__toggle"><span class="ss--menu__link">Resources<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M16.59 8.59L12 13.17 7.41 8.59 6 10l6 6 6-6z"></path></svg></span><div aria-labelledby="menu-1-button" id="menu-1-box" class="ss--drop-down ss--drop-down--closed"><ul class="ss--drop-down__list" style="opacity: 0; transform: translateY(-32px) translateZ(0);"><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/resources/product-faqs/"><span><span>Product FAQs</span></span></a></li><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a href="https://support.sandflysecurity.com/support/home" target="_blank" rel="noopener noreferrer" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse"><span><span>Product Documentation</span></span></a></li></ul></div></button></li><li class="ss--menu__item"><button aria-haspopup="true" aria-controls="menu-2-box" aria-expanded="false" id="menu-2-button" tabIndex="0" class="ss--menu__toggle"><span class="ss--menu__link">Customers<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M16.59 8.59L12 13.17 7.41 8.59 6 10l6 6 6-6z"></path></svg></span><div aria-labelledby="menu-2-button" id="menu-2-box" class="ss--drop-down ss--drop-down--closed"><ul class="ss--drop-down__list" style="opacity: 0; transform: translateY(-32px) translateZ(0);"><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/customers/testimonials/"><span><span>Testimonials</span></span></a></li><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/customers/case-studies/"><span><span>Case Studies</span></span></a></li></ul></div></button></li><li class="ss--menu__item"><button aria-haspopup="true" aria-controls="menu-3-box" aria-expanded="false" id="menu-3-button" tabIndex="0" class="ss--menu__toggle"><span class="ss--menu__link">About Us<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M16.59 8.59L12 13.17 7.41 8.59 6 10l6 6 6-6z"></path></svg></span><div aria-labelledby="menu-3-button" id="menu-3-box" class="ss--drop-down ss--drop-down--closed"><ul class="ss--drop-down__list" style="opacity: 0; transform: translateY(-32px) translateZ(0);"><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/about-us/our-story/"><span><span>Our Story</span></span></a></li><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/about-us/partner/"><span><span>Partners And MSSPs</span></span></a></li><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/under-attack/"><span><span>Under Attack? </span></span></a></li><li class="ss--menu-item" style="opacity: 0; transform: translateY(-16px) translateZ(0);"><a tabIndex="-1" class="ss--button ss--button--alignment-left ss--button--color-accent ss--button--style-solid ss--button--menu-item ss--button--inverse" href="/contact-us/"><span><span>Contact Us </span></span></a></li></ul></div></button></li></ul></nav></div><div class="ss--header__cta"><a class="ss--button ss--button--alignment-left ss--button--color-primary ss--button--elevated ss--button--style-solid" href="/get-sandfly/"><span>Get Sandfly</span></a></div><div class="ss--header__icon"><button aria-label="Toggle Menu" class="ss--menu-icon"><svg viewBox="0 0 40 41"><rect width="18" height="2.25" rx=".5" x="22" y="13"></rect><rect width="18" height="2.25" rx=".5" x="22" y="19" opacity="1"></rect><rect width="18" height="2.25" rx=".5" x="22" y="25"></rect></svg></button></div></div></div></header></div></div></div><div data-focus-guard tabIndex="-1" style="width: 1px; height: 0px; padding: 0px; overflow: hidden; position: fixed; top: 1px; left: 1px;"></div><div class="layout__content"><main><nav aria-label="Breadcrumb" class="ss--breadcrumbs"><ul class="ss--breadcrumbs__list"><li class="ss--breadcrumbs__item"><a href="/blog/">Blog</a></li><li aria-current="page" class="ss--breadcrumbs__item"><a aria-current="page" class href="/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/" class>Linux Stealth Rootkit Malware with EDR Evasion</a></li></ul></nav><div class="ss--content ss--content--gutters ss--content--text-align-left ss--content--width-small"><div class="ss--spacer "></div><div><h1>Linux Stealth Rootkit Malware with EDR Evasion</h1><p class="ss--post-intro__date">November 28, 2021</p><p class="ss--post-intro__tags"><a href="/blog/tag/malware/">Malware</a>, <a href="/blog/tag/rootkits/">Rootkits</a>, <a href="/blog/tag/linux-forensics/">Linux Forensics</a>, <a href="/blog/tag/linux-security/">Linux Security</a></p></div><div class="ss--spacer "></div><p>Recently, Sandfly was contacted to investigate an incident involving a novel piece of Linux stealth malware. What made this malware interesting is it deployed a full stealth rootkit to hide itself, and in so doing was able to evade a market leading Endpoint Detection and Response (EDR) product. The malware appeared to be focused on cryptomining, but also had SSH bruteforce and likely backdoor capability. It's not unreasonable to assume the framework could be used at some point to also deploy ransomware features if desired.</p><h2>Stealth Malware Breach Suspected</h2><p>The customer reported a machine acting strangely and felt that it had been compromised even though their EDR solution was not able to see the activity. During an initial triage the security team reported that some files could not be viewed (e.g. SSH <em>authorized_keys</em>) and other symptoms were happening indicating the host was trying to hide something.</p><p>Running Sandfly against the target showed the system had big problems with dozens of alerts. We found suspicious binaries during the incident and only one AV vendor at the time had any indication that it was malicious in VirusTotal:</p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='576' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637270231-incident-virustotal-unknown-malware.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637270231-incident-virustotal-unknown-malware.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637270231-incident-virustotal-unknown-malware.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637270231-incident-virustotal-unknown-malware.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Low Malware Detection Rate in VirusTotal" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637270231-incident-virustotal-unknown-malware.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637270231-incident-virustotal-unknown-malware.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637270231-incident-virustotal-unknown-malware.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637270231-incident-virustotal-unknown-malware.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Low Malware Detection Rate in VirusTotal" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>The Sandfly console though showed the following:</p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='406' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Sandfly Detects Novel Stealth Linux Malware" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637270429-incident-host-results.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Sandfly Detects Novel Stealth Linux Malware" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p></p><p>What exactly was the malware doing? </p><ul><li><p>Hiding processes.</p></li><li><p>Using high entropy packed/encrypted binaries to mask contents.</p></li><li><p>Immutable process binaries for persistence.</p></li><li><p>Immutable root user SSH <em>authorized_keys</em> file with new key added for persistence.</p></li><li><p>Immutable config files under <em>/etc</em> directory.</p></li><li><p>Immutable and hidden system library file.</p></li><li><p>Tampered <em>/etc/ld.so.preload</em> with malicious library path.</p></li><li><p>Processes with watchdog features to restart themselves if killed.</p></li><li><p>Tampered files hidden from system commands like <em>ls</em>, <em>cat</em>, <em>strings</em> and <em>lsof</em>.</p></li><li><p>Open network connection to command and control server.</p></li><li><p>SSH bruteforcer to spread automatically.</p></li><li><p>Complete evasion from a Linux EDR solution (not Sandfly!).</p></li></ul><p>Overall, this malware was a well executed stealth rootkit and payload. It was effective at hiding from observation and as stated above, evaded an EDR product. The SSH bruteforcer was aggressive in scanning and effective at finding new hosts to infect.</p><h2>Linux LD_PRELOAD Stealth Rootkit and Packed Binaries</h2><p>The admins suspected a rootkit was present, but standard system tools like <em>ps</em>, <em>top</em> or <em>lsof </em>were not showing everything. This indicates a Linux stealth rootkit was in play. There are two main types of rootkits on Linux: <a href="https://www.sandflysecurity.com/blog/detect-linux-loadable-kernel-module-stealth-rootkits-agentlessly-with-sandfly/">Loadable Kernel Module</a> (LKM) or <a href="https://www.sandflysecurity.com/blog/detecting-and-de-cloaking-hiddenwasp-linux-stealth-malware/">LD_PRELOAD style</a>. We wanted to figure out if we were dealing with one of these and that would let us know the next step. </p><p>After running Sandfly, the first thing we found were a couple suspicious packed/encrypted binaries running called <em>bioset</em> and <em>kthreadd. </em>The files appeared to be packed with the popular tool UPX. Packing is a way to compress a binary to save space. However, in actual use it's a way to make malicious binary detection and reverse engineering harder in our experience. <strong>A packed binary on Linux is 99% of the time malicious and should be immediately investigated.</strong> Trust us. The problem is so bad we even released a free tool to help you scan your system for any packed binaries (<a href="https://github.com/sandflysecurity/sandfly-filescan">sandfly-filescan</a>). </p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='820' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637272906-incident-high-entropy-process-kthreadd.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637272906-incident-high-entropy-process-kthreadd.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272906-incident-high-entropy-process-kthreadd.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272906-incident-high-entropy-process-kthreadd.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Suspicious Packed Malware Binary on Linux" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637272906-incident-high-entropy-process-kthreadd.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637272906-incident-high-entropy-process-kthreadd.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272906-incident-high-entropy-process-kthreadd.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272906-incident-high-entropy-process-kthreadd.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Suspicious Packed Malware Binary on Linux" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>The binaries were also running with immutable permissions on the filesystem to prevent removal:</p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='815' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637273028-incident-process-bioset-immutable.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637273028-incident-process-bioset-immutable.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637273028-incident-process-bioset-immutable.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637273028-incident-process-bioset-immutable.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Immutable Malware Linux Binary" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637273028-incident-process-bioset-immutable.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637273028-incident-process-bioset-immutable.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637273028-incident-process-bioset-immutable.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637273028-incident-process-bioset-immutable.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Immutable Malware Linux Binary" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>Now although they sound scary, stealth rootkits are usually <a href="https://www.sandflysecurity.com/blog/detecting-and-de-cloaking-hiddenwasp-linux-stealth-malware/">easy to decloak if you know where to look</a> (also using our free tool <a href="https://github.com/sandflysecurity/sandfly-processdecloak">sandfly-processdecloak</a>). In this case we used Sandfly as it can decloak these issues for us. An alert also stood out with processes that had active open connections to <em>/etc/ld.so.preload</em> on the system. </p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='811' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637272034-incident-process-bioset-open-suspicious-file-descriptors.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637272034-incident-process-bioset-open-suspicious-file-descriptors.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272034-incident-process-bioset-open-suspicious-file-descriptors.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272034-incident-process-bioset-open-suspicious-file-descriptors.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Suspicious Linux Process with Open /etc/ld.so.preload" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637272034-incident-process-bioset-open-suspicious-file-descriptors.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637272034-incident-process-bioset-open-suspicious-file-descriptors.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272034-incident-process-bioset-open-suspicious-file-descriptors.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272034-incident-process-bioset-open-suspicious-file-descriptors.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Suspicious Linux Process with Open /etc/ld.so.preload" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>Sandfly's forensic data shows that an active file descriptor to <em>/etc/ld.so.preload</em> is in fact being held open by this process to protect it from alteration or removal.</p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='778' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637272296-incident-process-bioset-open-suspicious-file-descriptors-raw-data.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637272296-incident-process-bioset-open-suspicious-file-descriptors-raw-data.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272296-incident-process-bioset-open-suspicious-file-descriptors-raw-data.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272296-incident-process-bioset-open-suspicious-file-descriptors-raw-data.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Sandfly Forensic Data Showing /etc/ld.so.preload File Descriptor" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637272296-incident-process-bioset-open-suspicious-file-descriptors-raw-data.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637272296-incident-process-bioset-open-suspicious-file-descriptors-raw-data.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272296-incident-process-bioset-open-suspicious-file-descriptors-raw-data.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272296-incident-process-bioset-open-suspicious-file-descriptors-raw-data.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Sandfly Forensic Data Showing /etc/ld.so.preload File Descriptor" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>Processes with an interest in <em>/etc/ld.so.preload</em> are important because this allows intruders to insert malicious libraries into a binary execution path. In plain terms, a malicious library can hide files, processes and directories from you if you use system tools or dynamically linked binaries. No system commands on this host can be trusted to show what is going on with this kind of rootkit present.</p><p>In fact, trying to view /<em>etc/ld.so.preload</em> with system commands was completely blocked by the rootkit. The file could not be viewed or even copied as it was being protected from observation or removal. At this point we are 100% certain we are dealing with <a href="https://www.sandflysecurity.com/blog/how-to-decloak-stealth-linux-cryptocurrency-mining-malware/">a LD_PRELOAD stealth rootkit</a>.</p><h2>Decloaking a Linux Stealth Rootkit</h2><p>Now that we are certain that an LD_PRELOAD rootkit is in operation, we want to look into the <em>/etc/ld.so.preload </em>file that the malicious binary finds so interesting. Sandfly in fact flagged this file already as it was marked immutable to prevent removal which is extremely unusual on Linux. </p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='818' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637272614-inciden-etc-ld-so-preload-immutable.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637272614-inciden-etc-ld-so-preload-immutable.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272614-inciden-etc-ld-so-preload-immutable.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272614-inciden-etc-ld-so-preload-immutable.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Immutable /etc/ld.so.preload Hiding Malicious Library Path" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637272614-inciden-etc-ld-so-preload-immutable.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637272614-inciden-etc-ld-so-preload-immutable.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272614-inciden-etc-ld-so-preload-immutable.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272614-inciden-etc-ld-so-preload-immutable.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Immutable /etc/ld.so.preload Hiding Malicious Library Path" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>Sandfly also flagged that the file was not empty which again is not common on Linux. Although there are legitimate reasons for an LD_PRELOAD library to be used, 99% of the time a Linux host won't have anything in this file and file references there should be viewed with suspicion until proven innocent. </p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='821' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637272667-incident-etc-ld-so-preload-non-empty.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637272667-incident-etc-ld-so-preload-non-empty.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272667-incident-etc-ld-so-preload-non-empty.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272667-incident-etc-ld-so-preload-non-empty.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="System /etc/ld.so.preload with Suspicious Data" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637272667-incident-etc-ld-so-preload-non-empty.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637272667-incident-etc-ld-so-preload-non-empty.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272667-incident-etc-ld-so-preload-non-empty.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272667-incident-etc-ld-so-preload-non-empty.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="System /etc/ld.so.preload with Suspicious Data" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>The system commands were not showing us the contents of the <em>/etc/ld.so.preload</em> file due to the rootkit, but we can use Sandfly's raw forensic data to see the decloaked data immediately:</p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='734' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637272731-incident-etc-ld-so-preload-non-empty-data.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637272731-incident-etc-ld-so-preload-non-empty-data.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272731-incident-etc-ld-so-preload-non-empty-data.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272731-incident-etc-ld-so-preload-non-empty-data.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="System /etc/ld.so.preload with Suspicious Library Path" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637272731-incident-etc-ld-so-preload-non-empty-data.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637272731-incident-etc-ld-so-preload-non-empty-data.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637272731-incident-etc-ld-so-preload-non-empty-data.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637272731-incident-etc-ld-so-preload-non-empty-data.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="System /etc/ld.so.preload with Suspicious Library Path" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>The path found in this file is a very suspiciously named <em>/lib/libcurl.so.2.17.0</em> path name. If you think a reference to <em>curl</em> in this system file is odd, you aren't alone. </p><p>To confirm this, we used Sandfly Incident Response Tool (<em>sfirt</em>) we created to read the suspicious file and dump the contents from the command line even if cloaked. The file was not linefeed terminated, but you can see clearly the reference to <em>/lib/libcurl.so.2.17.0</em> again confirming the forensic data above. </p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='149' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637280263-incident-file-ldsopreload-copy-and-read-redacted.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637280263-incident-file-ldsopreload-copy-and-read-redacted.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637280263-incident-file-ldsopreload-copy-and-read-redacted.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637280263-incident-file-ldsopreload-copy-and-read-redacted.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Sandfly Incident Response Tool Copies Hidden Data" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637280263-incident-file-ldsopreload-copy-and-read-redacted.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637280263-incident-file-ldsopreload-copy-and-read-redacted.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637280263-incident-file-ldsopreload-copy-and-read-redacted.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637280263-incident-file-ldsopreload-copy-and-read-redacted.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Sandfly Incident Response Tool Copies Hidden Data" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><h2>Inspecting Malicious LD_PRELOAD Library</h2><p>Now the file of interest in the entire rootkit is <em>/lib/libcurl.so.2.17.0. </em>This file being referenced in <em>/etc/ld.so.preload</em> means that it is the one that is intercepting system calls to do the grunt work of the rootkit to hide. In this case, the file has other suspicious attributes such as being marked as immutable and also the rootkit was not allowing system commands to view it to avoid analysis.</p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='815' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637275670-incident-immutable-file-lib-dir.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637275670-incident-immutable-file-lib-dir.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637275670-incident-immutable-file-lib-dir.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637275670-incident-immutable-file-lib-dir.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Immutable Linux Rootkit Binary Found in /lib" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637275670-incident-immutable-file-lib-dir.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637275670-incident-immutable-file-lib-dir.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637275670-incident-immutable-file-lib-dir.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637275670-incident-immutable-file-lib-dir.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Immutable Linux Rootkit Binary Found in /lib" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>Since system commands couldn't see or look at this file as it was defending itself, we again use Sandfly's forensic view to see some clues about what it is. Here we are focused in on the magic number showing it's an ELF type file as well as cryptographic hashes which can help to search for this file on other hosts if needed:</p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='543' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637275799-incident-immutable-file-lib-dir-details.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637275799-incident-immutable-file-lib-dir-details.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637275799-incident-immutable-file-lib-dir-details.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637275799-incident-immutable-file-lib-dir-details.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Suspicious libcurl.so.2.17.0 Binary Forensic Data" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637275799-incident-immutable-file-lib-dir-details.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637275799-incident-immutable-file-lib-dir-details.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637275799-incident-immutable-file-lib-dir-details.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637275799-incident-immutable-file-lib-dir-details.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Suspicious libcurl.so.2.17.0 Binary Forensic Data" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>The forensic data of the malicious library is presented below from Sandfly. Note that the file was created on Jun 26th after the breach, but Sandfly was run on July 19th which is why the dates are three weeks apart. </p><pre data-language="json"><code>{
  &quot;end_time&quot;: &quot;2021-07-19T20:57:13Z&quot;,
  &quot;engine&quot;: &quot;sandfly_engine_file&quot;,
  &quot;euid&quot;: 0,
  &quot;euid_username&quot;: &quot;root&quot;,
  &quot;exec_seconds&quot;: 4,
  &quot;name&quot;: &quot;file_immutable_in_lib_dir&quot;,
  &quot;output_format&quot;: &quot;3.0&quot;,
  &quot;pid&quot;: 54929,
  &quot;results&quot;: {
    &quot;explanation&quot;: &quot;The file '/usr/lib/libcurl.so.2.17.0' is marked as immutable and was found under '/usr/lib/'. Immutable files are not common on Linux and often is done by malware to prevent itself from being deleted. Please investigate this file to be sure it is meant to be marked immutable and is not part of a malicious program or rootkit. It is owned by UID '0' and was created on 2021-06-26T06:59:10+12:00.&quot;,
    &quot;file&quot;: {
      &quot;blksize&quot;: 4096,
      &quot;blocks&quot;: 64,
      &quot;data&quot;: null,
      &quot;date&quot;: {
        &quot;accessed&quot;: &quot;2021-07-19T20:26:50+12:00&quot;,
        &quot;accessed_minutes&quot;: 750,
        &quot;created&quot;: &quot;2021-06-26T06:59:10+12:00&quot;,
        &quot;created_minutes&quot;: 34678,
        &quot;modified&quot;: &quot;2021-06-26T06:55:12+12:00&quot;,
        &quot;modified_minutes&quot;: 34682
      },
      &quot;device&quot;: 2049,
      &quot;entropy&quot;: 4.31,
      &quot;extension&quot;: &quot;.0&quot;,
      &quot;flags&quot;: {
        &quot;char_device&quot;: false,
        &quot;deleted&quot;: false,
        &quot;device&quot;: false,
        &quot;directory&quot;: false,
        &quot;hidden&quot;: false,
        &quot;immutable&quot;: true,
        &quot;link&quot;: false,
        &quot;named_pipe&quot;: false,
        &quot;regular&quot;: true,
        &quot;sgid&quot;: false,
        &quot;sgid_root&quot;: false,
        &quot;socket&quot;: false,
        &quot;sticky&quot;: false,
        &quot;suid&quot;: false,
        &quot;suid_root&quot;: false
      },
      &quot;gid&quot;: 0,
      &quot;gid_name&quot;: &quot;root&quot;,
      &quot;hash&quot;: {
        &quot;md5&quot;: &quot;fed81f7ec31811ac0d4fda157939504f&quot;,
        &quot;sha1&quot;: &quot;c8a4039a4c347e9571ac042c43028f3d7e2b9784&quot;,
        &quot;sha256&quot;: &quot;139adce4299a9c657347910061e0966482125c39b240eae5ee8b5b18de22c208&quot;,
        &quot;sha512&quot;: &quot;1828a57ec9d6f83d99d23f93769ad74cb22323138b73a3cd7f784005da628b974152d4aa26bd25bf34aec3a5eedeb6a05cfc3138919aef252b92c5cafdf5da44&quot;
      },
      &quot;inode&quot;: 135428,
      &quot;magic_num&quot;: {
        &quot;class&quot;: &quot;executable_linux&quot;,
        &quot;expected_extensions&quot;: [],
        &quot;hex&quot;: &quot;7f454c46020101000000&quot;,
        &quot;text&quot;: &quot;ELF\u0002\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000&gt;\u0000&quot;,
        &quot;type&quot;: &quot;elf&quot;
      },
      &quot;mode&quot;: &quot;0100755&quot;,
      &quot;name&quot;: &quot;libcurl.so.2.17.0&quot;,
      &quot;nlink&quot;: 1,
      &quot;path&quot;: &quot;/usr/lib/libcurl.so.2.17.0&quot;,
      &quot;path_link&quot;: &quot;&quot;,
      &quot;path_root&quot;: &quot;/usr/lib/&quot;,
      &quot;rdevice&quot;: 0,
      &quot;size&quot;: 31336,
      &quot;size_byte_count&quot;: 31336,
      &quot;size_mismatch&quot;: false,
      &quot;uid&quot;: 0,
      &quot;uid_name&quot;: &quot;root&quot;
    },
    &quot;response&quot;: {
      &quot;directory&quot;: {
        &quot;error&quot;: false
      },
      &quot;file&quot;: {
        &quot;error&quot;: false
      },
      &quot;log&quot;: {
        &quot;error&quot;: false
      },
      &quot;process&quot;: {
        &quot;error&quot;: false,
        &quot;killed&quot;: false,
        &quot;suspended&quot;: false
      },
      &quot;user&quot;: {
        &quot;error&quot;: false
      }
    }
  },
  &quot;severity&quot;: 3,
  &quot;start_time&quot;: &quot;2021-07-19T20:57:09Z&quot;,
  &quot;status&quot;: &quot;alert&quot;,
  &quot;status_msg&quot;: &quot;ok&quot;,
  &quot;tags&quot;: [
    &quot;attack.tactic.persistence&quot;,
    &quot;file&quot;
  ],
  &quot;type&quot;: &quot;file&quot;,
  &quot;uid&quot;: 0,
  &quot;uid_username&quot;: &quot;root&quot;
}</code></pre><h2>Malicious Binary Recovery</h2><p>Now that we know what kind of rootkit we have, we dive a bit into the suspicious process binaries. There were two processes called <em>bioset</em> and <em>kthreadd</em>. As discussed already, both of these processes had a keen interest in the <em>/etc/ld.so.preload</em> file as both had open file descriptors to it. Not only this, but the processes also had watchdog capability so if you killed the <em>kthreadd</em> process it would start back up again. </p><p>We did a cursory look and the <em>kthreadd</em> process appeared to be a generic cryptomining package. The <em>bioset </em>binary<em> </em>worked as the watchdog, SSH bruteforcer and command and control component. The binaries on the disk were protected again with immutable attributes and hidden from view with normal commands. </p><p>You can see below that normal system copy commands were not working to get the binary samples (located at <em>/usr/bin/bioset</em>). We again used <em>sfirt</em> to grab the copy and then SHA1 hash with the standard system binary once we renamed the file to something the rootkit was not protecting:</p><p><div ariaRole="button" ariaLabel="Toggle Lightbox" class="ss--image ss--image--elevated ss--image--width-medium ss--image--lightbox"><div data-gatsby-image-wrapper class="gatsby-image-wrapper gatsby-image-wrapper-constrained"><div style="max-width: 728px; display: block;"><img alt role="presentation" aria-hidden="true" src="data:image/svg+xml;charset=utf-8,%3Csvg height='285' width='728' xmlns='http://www.w3.org/2000/svg' version='1.1'%3E%3C/svg%3E" style="max-width: 100%; display: block; position: static;" /></div><img aria-hidden="true" data-placeholder-image style="opacity: 1; transition: opacity 500ms linear;" decoding="async" src="" alt /><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" data-src="https://www.datocms-assets.com/56687/1637280137-incident-usr-bin-bioset-copy-failed-sfirt-bioset-copy-success-redacted.png?auto=format&amp;fit=crop&amp;w=728" data-srcset="https://www.datocms-assets.com/56687/1637280137-incident-usr-bin-bioset-copy-failed-sfirt-bioset-copy-success-redacted.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637280137-incident-usr-bin-bioset-copy-failed-sfirt-bioset-copy-success-redacted.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637280137-incident-usr-bin-bioset-copy-failed-sfirt-bioset-copy-success-redacted.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Malicious Binary Protects Itself from Copying" /><noscript><img data-gatsby-image-ssr data-main-image style="opacity: 0;" sizes="(min-width: 728px) 728px, 100vw" decoding="async" loading="lazy" src="https://www.datocms-assets.com/56687/1637280137-incident-usr-bin-bioset-copy-failed-sfirt-bioset-copy-success-redacted.png?auto=format&amp;fit=crop&amp;w=728" srcSet="https://www.datocms-assets.com/56687/1637280137-incident-usr-bin-bioset-copy-failed-sfirt-bioset-copy-success-redacted.png?auto=format&amp;dpr=0.25&amp;fit=crop&amp;w=728 182w,https://www.datocms-assets.com/56687/1637280137-incident-usr-bin-bioset-copy-failed-sfirt-bioset-copy-success-redacted.png?auto=format&amp;dpr=0.5&amp;fit=crop&amp;w=728 364w,https://www.datocms-assets.com/56687/1637280137-incident-usr-bin-bioset-copy-failed-sfirt-bioset-copy-success-redacted.png?auto=format&amp;fit=crop&amp;w=728 728w" alt="Malicious Binary Protects Itself from Copying" /></noscript><script type="module">const t="undefined"!=typeof HTMLImageElement&&"loading"in HTMLImageElement.prototype;if(t){const t=document.querySelectorAll("img[data-main-image]");for(let e of t){e.dataset.src&&(e.setAttribute("src",e.dataset.src),e.removeAttribute("data-src")),e.dataset.srcset&&(e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset"));const t=e.parentNode.querySelectorAll("source[data-srcset]");for(let e of t)e.setAttribute("srcset",e.dataset.srcset),e.removeAttribute("data-srcset");e.complete&&(e.style.opacity=1)}}</script></div><span class="ss--image__icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"></path></svg></span></div></p><p>Running the hashes through VirusTotal didn't produce anything meaningful for the <em>bioset</em> and <em>libcurl</em> libraries at the time (now resolved as we submitted the samples). However the <em>kthreadd</em> binary did come back as a confirmed cryptominer. While this was helpful to know, the <em>bioset</em> binary was still a bit of a mystery. The full capability of what it could do as the main controller of the malware was not fully analyzed for this report other than to observe its involvement in SSH bruteforcing and helping the malware to spread.</p><p><strong>While it's nice to be able to dismiss something as &quot;only&quot; a cryptominer, it's important to remember that a system that is compromised could have anything done to it by an attacker. It is not even unreasonable to assume that droppers that appear to be cryptomining could be left behind to throw investigators off the track of what the real intent of the attack actually was. </strong></p><p>As this was an informal investigation, we left well enough alone as the system was already isolated and no longer a risk. </p><h2>SSH Key Persistence and Odds and Ends</h2><p>To wrap up the main functionality of this malware, it made other system alterations such as inserting a malicious SSH key into the root user's <em>authorized_keys</em> file. Details are provided in the appendix. The malware also modified miscellaneous system files like <em>/etc/resolv.conf</em> and had open network connections to its command and control server.</p><h2>Linux EDR Evasion</h2><p>One aspect of this rootkit is it was able to completely evade a well-known EDR vendor that had an agent loaded on this system. The malware itself was not specifically designed to evade EDR from what we can see, but was a side-effect of how this EDR is made. This will be covered in Part 2 of this article.</p><h2>Wrap Up - Protect Your Linux Hosts</h2><p>As a vendor in agentless Linux EDR, we recommend you monitor all hosts for compromise continually. Early detection is paramount to prevent minor incidents from becoming major catastrophes. </p><p>This was a well executed piece of malware. It used a simple LD_PRELOAD rootkit to hide effectively and was able to protect itself against discovery and removal to the point where it completely evaded another Linux EDR solution (covered in Part 2). In terms of malware, we actually rate this one pretty good for a cryptominer.<strong> </strong>It is showing that Linux malware authors are starting to improve their tactics and capabilities. </p><p>We hope the above shows that Linux malware is evolving rapidly and attackers are getting smarter about maintaining access and hiding their intentions. If you'd like to monitor your Linux hosts for free, please check out Sandfly and <a href="https://www.sandflysecurity.com/pricing/">get an instant free license</a> to do so today. </p><h2>Indicators of Compromise</h2><p>The following files are associated with this malware:</p><p><em>/etc/ld.so.preload </em>with path to /lib/<em>libcurl.so.2.17.0 </em></p><p><em>/lib/libcurl.so.2.17.0</em></p><p><em>/usr/bin/bioset </em></p><p><em>/usr/bin/kthreadd </em></p><p><em>/root/.ssh/authorized_keys </em>(inserts malicious key in Appendix)</p><p>Immutable flags are set on the above and/or will not be able to be read with normal system commands due to rootkit presence.</p><h2>References</h2><p>After our discovery we found references to variants of this malware on a Chinese site:</p><p><a href="https://zhuanlan.zhihu.com/p/348960748">Analysis of &quot;Cloud Shovel&quot; Mining Trojan Event for a Cloud Platform Server</a></p><h2>Appendix: Malware Forensic Data</h2><p>Below are JSON forensic data from Sandfly on the malicious processes and files.</p><h3>Malicious bioset Process</h3><pre data-language="json"><code>{
  &quot;end_time&quot;: &quot;2021-07-19T20:59:10Z&quot;,
  &quot;engine&quot;: &quot;sandfly_engine_process&quot;,
  &quot;euid&quot;: 0,
  &quot;euid_username&quot;: &quot;root&quot;,
  &quot;exec_seconds&quot;: 0,
  &quot;name&quot;: &quot;process_entropy_high&quot;,
  &quot;output_format&quot;: &quot;3.0&quot;,
  &quot;pid&quot;: 54929,
  &quot;results&quot;: {
    &quot;explanation&quot;: &quot;The process name 'bioset' with PID '6421' was started with a binary with very high entropy of 7.94 (out of 8.0 for perfect randomness). This indicates it is packed or encrypted which is commonly done with malware to hide from virus scanners or disassembly.&quot;,
    &quot;process&quot;: {
      &quot;binary&quot;: {
        &quot;blksize&quot;: 4096,
        &quot;blocks&quot;: 2912,
        &quot;data&quot;: null,
        &quot;date&quot;: {
          &quot;accessed&quot;: &quot;2021-07-19T20:26:50+12:00&quot;,
          &quot;accessed_minutes&quot;: 752,
          &quot;created&quot;: &quot;2021-06-26T06:59:10+12:00&quot;,
          &quot;created_minutes&quot;: 34679,
          &quot;modified&quot;: &quot;2021-06-26T06:55:08+12:00&quot;,
          &quot;modified_minutes&quot;: 34683
        },
        &quot;device&quot;: 2049,
        &quot;entropy&quot;: 7.94,
        &quot;extension&quot;: &quot;&quot;,
        &quot;flags&quot;: {
          &quot;char_device&quot;: false,
          &quot;deleted&quot;: false,
          &quot;device&quot;: false,
          &quot;directory&quot;: false,
          &quot;hidden&quot;: false,
          &quot;immutable&quot;: true,
          &quot;link&quot;: false,
          &quot;named_pipe&quot;: false,
          &quot;regular&quot;: true,
          &quot;sgid&quot;: false,
          &quot;sgid_root&quot;: false,
          &quot;socket&quot;: false,
          &quot;sticky&quot;: false,
          &quot;suid&quot;: false,
          &quot;suid_root&quot;: false
        },
        &quot;gid&quot;: 0,
        &quot;gid_name&quot;: &quot;root&quot;,
        &quot;hash&quot;: {
          &quot;md5&quot;: &quot;bf3a2ed557251175e994539f8cbcf150&quot;,
          &quot;sha1&quot;: &quot;fa45b3f8143a4ab044189ff01e105b2140d6fb53&quot;,
          &quot;sha256&quot;: &quot;3049053abbf20a0c837ad09e1712051474515d44469355c549329df57ee0a613&quot;,
          &quot;sha512&quot;: &quot;e37fadfb5200f19f7e836829155b343957eae1f0588c2c6ebc3c9a78935c2ae8cdcd8a15858e70796a69ce70bc76ac3b073fbf48feb2cf990f29c414866b606d&quot;
        },
        &quot;inode&quot;: 135416,
        &quot;magic_num&quot;: {
          &quot;class&quot;: &quot;executable_linux&quot;,
          &quot;expected_extensions&quot;: [],
          &quot;hex&quot;: &quot;7f454c46020101030000&quot;,
          &quot;text&quot;: &quot;ELF\u0002\u0001\u0001\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000&gt;\u0000&quot;,
          &quot;type&quot;: &quot;elf&quot;
        },
        &quot;mode&quot;: &quot;0100755&quot;,
        &quot;name&quot;: &quot;bioset&quot;,
        &quot;nlink&quot;: 1,
        &quot;path&quot;: &quot;/usr/bin/bioset&quot;,
        &quot;path_link&quot;: &quot;&quot;,
        &quot;path_root&quot;: &quot;/usr/bin/&quot;,
        &quot;rdevice&quot;: 0,
        &quot;size&quot;: 1490496,
        &quot;size_byte_count&quot;: 1490496,
        &quot;size_mismatch&quot;: false,
        &quot;uid&quot;: 0,
        &quot;uid_name&quot;: &quot;root&quot;
      },
      &quot;cgroup&quot;: [
        {
          &quot;controller_list&quot;: &quot;freezer&quot;,
          &quot;hierarchy_id&quot;: &quot;11&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;devices&quot;,
          &quot;hierarchy_id&quot;: &quot;10&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;cpuset&quot;,
          &quot;hierarchy_id&quot;: &quot;9&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;blkio&quot;,
          &quot;hierarchy_id&quot;: &quot;8&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;cpuacct,cpu&quot;,
          &quot;hierarchy_id&quot;: &quot;7&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;perf_event&quot;,
          &quot;hierarchy_id&quot;: &quot;6&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;hugetlb&quot;,
          &quot;hierarchy_id&quot;: &quot;5&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;pids&quot;,
          &quot;hierarchy_id&quot;: &quot;4&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;net_prio,net_cls&quot;,
          &quot;hierarchy_id&quot;: &quot;3&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;memory&quot;,
          &quot;hierarchy_id&quot;: &quot;2&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;name=systemd&quot;,
          &quot;hierarchy_id&quot;: &quot;1&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        }
      ],
      &quot;cmdline&quot;: &quot;/usr/bin/bioset&quot;,
      &quot;command&quot;: &quot;bioset&quot;,
      &quot;container&quot;: {
        &quot;id&quot;: &quot;&quot;,
        &quot;id_short&quot;: &quot;&quot;,
        &quot;upperdir&quot;: &quot;&quot;,
        &quot;workingdir&quot;: &quot;&quot;
      },
      &quot;cwd&quot;: &quot;/&quot;,
      &quot;date&quot;: {
        &quot;created&quot;: &quot;2021-07-19T23:53:48+12:00&quot;,
        &quot;created_minutes&quot;: 545
      },
      &quot;entropy&quot;: 7.94,
      &quot;environ&quot;: [
        &quot;PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin&quot;,
        &quot;PWD=/&quot;,
        &quot;LANG=en_NZ.UTF-8&quot;,
        &quot;NOTIFY_SOCKET=/run/systemd/notify&quot;,
        &quot;SHLVL=1&quot;,
        &quot;WATCHDOG_PID=471&quot;,
        &quot;WATCHDOG_USEC=180000000&quot;,
        &quot;_=/usr/bin/bioset&quot;,
        &quot;&quot;
      ],
      &quot;extension&quot;: &quot;&quot;,
      &quot;file_descriptors&quot;: [
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 0,
          &quot;path&quot;: &quot;/dev/null&quot;,
          &quot;type&quot;: &quot;block&quot;
        },
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 1,
          &quot;path&quot;: &quot;/dev/null&quot;,
          &quot;type&quot;: &quot;block&quot;
        },
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 2,
          &quot;path&quot;: &quot;/dev/null&quot;,
          &quot;type&quot;: &quot;block&quot;
        }
      ],
      &quot;flags&quot;: {
        &quot;containerized&quot;: false,
        &quot;deleted&quot;: false,
        &quot;hidden&quot;: false,
        &quot;immutable&quot;: true
      },
      &quot;gid&quot;: 0,
      &quot;gid_name&quot;: &quot;root&quot;,
      &quot;hash&quot;: {
        &quot;md5&quot;: &quot;bf3a2ed557251175e994539f8cbcf150&quot;,
        &quot;sha1&quot;: &quot;fa45b3f8143a4ab044189ff01e105b2140d6fb53&quot;,
        &quot;sha256&quot;: &quot;3049053abbf20a0c837ad09e1712051474515d44469355c549329df57ee0a613&quot;,
        &quot;sha512&quot;: &quot;e37fadfb5200f19f7e836829155b343957eae1f0588c2c6ebc3c9a78935c2ae8cdcd8a15858e70796a69ce70bc76ac3b073fbf48feb2cf990f29c414866b606d&quot;
      },
      &quot;maps&quot;: [
        &quot;00400000-00401000 r--p 00000000 00:00 0 &quot;,
        &quot;00401000-00676000 r-xp 00000000 00:00 0 &quot;,
        &quot;00676000-00776000 r--p 00000000 00:00 0 &quot;,
        &quot;00776000-007ae000 rw-p 00000000 00:00 0 &quot;,
        &quot;027a4000-027c7000 rw-p 00000000 00:00 0                                  [heap]&quot;,
        &quot;7f7c08000000-7f7c08029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c08029000-7f7c0c000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c0c000000-7f7c0c029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c0c029000-7f7c10000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c10000000-7f7c10029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c10029000-7f7c14000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c14000000-7f7c14029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c14029000-7f7c18000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c18000000-7f7c18029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c18029000-7f7c1c000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c1ef76000-7f7c1ef77000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c1ef77000-7f7c1f777000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c1f777000-7f7c1f778000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c1f778000-7f7c1ff78000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c1ff78000-7f7c1ff79000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c1ff79000-7f7c20779000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c20779000-7f7c2077a000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2077a000-7f7c20f7a000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c20f7a000-7f7c20f7b000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c20f7b000-7f7c2177b000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2177b000-7f7c2177c000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2177c000-7f7c21f7c000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c21f7c000-7f7c21f7d000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c21f7d000-7f7c2277d000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2277d000-7f7c2277e000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2277e000-7f7c22f7e000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c22f7e000-7f7c22f7f000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c22f7f000-7f7c2377f000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2377f000-7f7c23780000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c23780000-7f7c23f80000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c23f80000-7f7c23f81000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c23f81000-7f7c24781000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c24781000-7f7c24782000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c24782000-7f7c24f82000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c24f82000-7f7c24f83000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c24f83000-7f7c25783000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c25783000-7f7c25784000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c25784000-7f7c25f84000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c25f84000-7f7c25f85000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c25f85000-7f7c26785000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c26785000-7f7c26786000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c26786000-7f7c26f86000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c26f86000-7f7c26f87000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c26f87000-7f7c27787000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c27787000-7f7c27788000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c27788000-7f7c27f88000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c27f88000-7f7c27f89000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c27f89000-7f7c28789000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c28789000-7f7c2878a000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2878a000-7f7c28f8a000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c28f8a000-7f7c28f8b000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c28f8b000-7f7c2978b000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2978b000-7f7c2978c000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2978c000-7f7c29f8c000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c29f8c000-7f7c29f8d000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c29f8d000-7f7c2a78d000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2a78d000-7f7c2a78e000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2a78e000-7f7c2af8e000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2af8e000-7f7c2af8f000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2af8f000-7f7c2b78f000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2b78f000-7f7c2b790000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2b790000-7f7c2bf90000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2bf90000-7f7c2bf91000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2bf91000-7f7c2c791000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2c791000-7f7c2c792000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2c792000-7f7c2cf92000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2cf92000-7f7c2cf93000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2cf93000-7f7c2d793000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2d793000-7f7c2d794000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2d794000-7f7c2df94000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2df94000-7f7c2df95000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2df95000-7f7c2e795000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2e795000-7f7c2e796000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2e796000-7f7c2ef96000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2ef96000-7f7c2ef97000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2ef97000-7f7c2f797000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2f797000-7f7c2f798000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2f798000-7f7c2ff98000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c2ff98000-7f7c2ff99000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c2ff99000-7f7c30799000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c30799000-7f7c3079a000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3079a000-7f7c30f9a000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c30f9a000-7f7c30f9b000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c30f9b000-7f7c3179b000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3179b000-7f7c3179c000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3179c000-7f7c31f9c000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c31f9c000-7f7c31f9d000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c31f9d000-7f7c3279d000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3279d000-7f7c3279e000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3279e000-7f7c32f9e000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c32f9e000-7f7c32f9f000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c32f9f000-7f7c3379f000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3379f000-7f7c337a0000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c337a0000-7f7c33fa0000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c33fa0000-7f7c33fa1000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c33fa1000-7f7c347a1000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c347a1000-7f7c347a2000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c347a2000-7f7c34fa2000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c34fa2000-7f7c34fa3000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c34fa3000-7f7c357a3000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c357a3000-7f7c357a4000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c357a4000-7f7c35fa4000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c35fa4000-7f7c35fa5000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c35fa5000-7f7c367a5000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c367a5000-7f7c367a6000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c367a6000-7f7c36fa6000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c36fa6000-7f7c36fa7000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c36fa7000-7f7c377a7000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c377a7000-7f7c377a8000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c377a8000-7f7c37fa8000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c37fa8000-7f7c37fa9000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c37fa9000-7f7c387a9000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c387a9000-7f7c387aa000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c387aa000-7f7c38faa000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c38faa000-7f7c38fab000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c38fab000-7f7c397ab000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c397ab000-7f7c397ac000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c397ac000-7f7c39fac000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c39fac000-7f7c39fad000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c39fad000-7f7c3a7ad000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3a7ad000-7f7c3a7ae000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3a7ae000-7f7c3afae000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3afae000-7f7c3afaf000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3afaf000-7f7c3b7af000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3b7af000-7f7c3b7b0000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3b7b0000-7f7c3bfb0000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3bfb0000-7f7c3bfb1000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3bfb1000-7f7c3c7b1000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3c7b1000-7f7c3c7b2000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3c7b2000-7f7c3cfb2000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3cfb2000-7f7c3cfb3000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3cfb3000-7f7c3d7b3000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3d7b3000-7f7c3d7b4000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3d7b4000-7f7c3dfb4000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3dfb4000-7f7c3dfb5000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3dfb5000-7f7c3e7b5000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3e7b5000-7f7c3e7b6000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3e7b6000-7f7c3efb6000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3efb6000-7f7c3efb7000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3efb7000-7f7c3f7b7000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3f7b7000-7f7c3f7b8000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3f7b8000-7f7c3ffb8000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c3ffb8000-7f7c3ffb9000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c3ffb9000-7f7c407b9000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c407b9000-7f7c407ba000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c407ba000-7f7c40fba000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c54000000-7f7c54029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c54029000-7f7c58000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c5c000000-7f7c5c029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c5c029000-7f7c60000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c60000000-7f7c60029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c60029000-7f7c64000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c64000000-7f7c64029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c64029000-7f7c68000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c68000000-7f7c68029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c68029000-7f7c6c000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c6c000000-7f7c6c029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c6c029000-7f7c70000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c70000000-7f7c70029000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c70029000-7f7c74000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c74000000-7f7c74021000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c74021000-7f7c78000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c7b46e000-7f7c7b46f000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c7b46f000-7f7c7bc6f000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c7bc6f000-7f7c7bc70000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c7bc70000-7f7c7c470000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c7c470000-7f7c7c471000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c7c471000-7f7c7cc71000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c7cc71000-7f7c7cc72000 ---p 00000000 00:00 0 &quot;,
        &quot;7f7c7cc72000-7f7c7d472000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f7c7d472000-7f7c7d473000 r--p 00000000 08:01 135416                     /usr/bin/bioset&quot;,
        &quot;7ffe064e2000-7ffe06503000 rw-p 00000000 00:00 0                          [stack]&quot;,
        &quot;7ffe06518000-7ffe0651a000 r-xp 00000000 00:00 0                          [vdso]&quot;,
        &quot;ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]&quot;
      ],
      &quot;name&quot;: &quot;bioset&quot;,
      &quot;network_ports&quot;: {
        &quot;established&quot;: false,
        &quot;established_num&quot;: 0,
        &quot;icmp&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;icmp6&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;listening&quot;: false,
        &quot;listening_num&quot;: 0,
        &quot;operating&quot;: false,
        &quot;raw&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;raw6&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;sctp&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;tcp&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;tcp6&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;udp&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;udp6&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        }
      },
      &quot;path&quot;: &quot;/usr/bin/bioset&quot;,
      &quot;pgid&quot;: 6421,
      &quot;pid&quot;: 6421,
      &quot;ppid&quot;: 1,
      &quot;stack&quot;: [
        &quot;hrtimer_nanosleep+0xbb/0x180&quot;,
        &quot;SyS_nanosleep+0x96/0xb0&quot;,
        &quot;system_call_fastpath+0x25/0x2a&quot;,
        &quot;0xffffffffffffffff&quot;
      ],
      &quot;state&quot;: &quot;S&quot;,
      &quot;system_uptime&quot;: &quot;2021-07-10T14:24:17+12:00&quot;,
      &quot;uid&quot;: 0,
      &quot;uid_name&quot;: &quot;root&quot;
    },
    &quot;response&quot;: {
      &quot;directory&quot;: {
        &quot;error&quot;: false
      },
      &quot;file&quot;: {
        &quot;error&quot;: false
      },
      &quot;log&quot;: {
        &quot;error&quot;: false
      },
      &quot;process&quot;: {
        &quot;error&quot;: false,
        &quot;killed&quot;: false,
        &quot;suspended&quot;: false
      },
      &quot;user&quot;: {
        &quot;error&quot;: false
      }
    }
  },
  &quot;severity&quot;: 3,
  &quot;start_time&quot;: &quot;2021-07-19T20:59:10Z&quot;,
  &quot;status&quot;: &quot;alert&quot;,
  &quot;status_msg&quot;: &quot;ok&quot;,
  &quot;tags&quot;: [
    &quot;attack.id.T1027&quot;,
    &quot;attack.tactic.defense_evasion&quot;,
    &quot;attack.tactic.execution&quot;,
    &quot;process&quot;
  ],
  &quot;type&quot;: &quot;process&quot;,
  &quot;uid&quot;: 0,
  &quot;uid_username&quot;: &quot;root&quot;
}</code></pre><h3>Malicious kthreadd Process</h3><pre data-language="json"><code>{
  &quot;end_time&quot;: &quot;2021-07-19T20:59:10Z&quot;,
  &quot;engine&quot;: &quot;sandfly_engine_process&quot;,
  &quot;euid&quot;: 0,
  &quot;euid_username&quot;: &quot;root&quot;,
  &quot;exec_seconds&quot;: 0,
  &quot;name&quot;: &quot;process_entropy_high&quot;,
  &quot;output_format&quot;: &quot;3.0&quot;,
  &quot;pid&quot;: 54929,
  &quot;results&quot;: {
    &quot;explanation&quot;: &quot;The process name 'kthreadd' with PID '6572' was started with a binary with very high entropy of 7.94 (out of 8.0 for perfect randomness). This indicates it is packed or encrypted which is commonly done with malware to hide from virus scanners or disassembly.&quot;,
    &quot;process&quot;: {
      &quot;binary&quot;: {
        &quot;blksize&quot;: 4096,
        &quot;blocks&quot;: 2496,
        &quot;data&quot;: null,
        &quot;date&quot;: {
          &quot;accessed&quot;: &quot;2021-07-19T20:26:50+12:00&quot;,
          &quot;accessed_minutes&quot;: 752,
          &quot;created&quot;: &quot;2021-06-26T06:59:10+12:00&quot;,
          &quot;created_minutes&quot;: 34679,
          &quot;modified&quot;: &quot;2021-06-26T06:56:58+12:00&quot;,
          &quot;modified_minutes&quot;: 34682
        },
        &quot;device&quot;: 2049,
        &quot;entropy&quot;: 7.94,
        &quot;extension&quot;: &quot;&quot;,
        &quot;flags&quot;: {
          &quot;char_device&quot;: false,
          &quot;deleted&quot;: false,
          &quot;device&quot;: false,
          &quot;directory&quot;: false,
          &quot;hidden&quot;: false,
          &quot;immutable&quot;: true,
          &quot;link&quot;: false,
          &quot;named_pipe&quot;: false,
          &quot;regular&quot;: true,
          &quot;sgid&quot;: false,
          &quot;sgid_root&quot;: false,
          &quot;socket&quot;: false,
          &quot;sticky&quot;: false,
          &quot;suid&quot;: false,
          &quot;suid_root&quot;: false
        },
        &quot;gid&quot;: 0,
        &quot;gid_name&quot;: &quot;root&quot;,
        &quot;hash&quot;: {
          &quot;md5&quot;: &quot;7275d8b380e6facc7c5420603f2672cc&quot;,
          &quot;sha1&quot;: &quot;1a6ad6106aa4dacb6fc8262169779f743b9255bd&quot;,
          &quot;sha256&quot;: &quot;98412571e95a5cdd24879389f846f3571d5975a92a4d467d292e4c1d6a481cef&quot;,
          &quot;sha512&quot;: &quot;b664e43a878f7a598fd656b31a0eb687533bd9689e22803051cd32d64205518e7b16e715c16a476e471f25dc0368922c33cc519becdc7a7ac41916a494ab85eb&quot;
        },
        &quot;inode&quot;: 135430,
        &quot;magic_num&quot;: {
          &quot;class&quot;: &quot;executable_linux&quot;,
          &quot;expected_extensions&quot;: [],
          &quot;hex&quot;: &quot;7f454c46020101030000&quot;,
          &quot;text&quot;: &quot;ELF\u0002\u0001\u0001\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000&gt;\u0000&quot;,
          &quot;type&quot;: &quot;elf&quot;
        },
        &quot;mode&quot;: &quot;0100755&quot;,
        &quot;name&quot;: &quot;kthreadd&quot;,
        &quot;nlink&quot;: 1,
        &quot;path&quot;: &quot;/usr/bin/kthreadd&quot;,
        &quot;path_link&quot;: &quot;&quot;,
        &quot;path_root&quot;: &quot;/usr/bin/&quot;,
        &quot;rdevice&quot;: 0,
        &quot;size&quot;: 1274136,
        &quot;size_byte_count&quot;: 1274136,
        &quot;size_mismatch&quot;: false,
        &quot;uid&quot;: 0,
        &quot;uid_name&quot;: &quot;root&quot;
      },
      &quot;cgroup&quot;: [
        {
          &quot;controller_list&quot;: &quot;freezer&quot;,
          &quot;hierarchy_id&quot;: &quot;11&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;devices&quot;,
          &quot;hierarchy_id&quot;: &quot;10&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;cpuset&quot;,
          &quot;hierarchy_id&quot;: &quot;9&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;blkio&quot;,
          &quot;hierarchy_id&quot;: &quot;8&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;cpuacct,cpu&quot;,
          &quot;hierarchy_id&quot;: &quot;7&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;perf_event&quot;,
          &quot;hierarchy_id&quot;: &quot;6&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;hugetlb&quot;,
          &quot;hierarchy_id&quot;: &quot;5&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;pids&quot;,
          &quot;hierarchy_id&quot;: &quot;4&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;net_prio,net_cls&quot;,
          &quot;hierarchy_id&quot;: &quot;3&quot;,
          &quot;path&quot;: &quot;/&quot;
        },
        {
          &quot;controller_list&quot;: &quot;memory&quot;,
          &quot;hierarchy_id&quot;: &quot;2&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        },
        {
          &quot;controller_list&quot;: &quot;name=systemd&quot;,
          &quot;hierarchy_id&quot;: &quot;1&quot;,
          &quot;path&quot;: &quot;/system.slice/systemd-journald.service&quot;
        }
      ],
      &quot;cmdline&quot;: &quot;/usr/bin/kthreadd&quot;,
      &quot;command&quot;: &quot;kthreadd&quot;,
      &quot;container&quot;: {
        &quot;id&quot;: &quot;&quot;,
        &quot;id_short&quot;: &quot;&quot;,
        &quot;upperdir&quot;: &quot;&quot;,
        &quot;workingdir&quot;: &quot;&quot;
      },
      &quot;cwd&quot;: &quot;/&quot;,
      &quot;date&quot;: {
        &quot;created&quot;: &quot;2021-07-19T23:53:48+12:00&quot;,
        &quot;created_minutes&quot;: 545
      },
      &quot;entropy&quot;: 7.94,
      &quot;environ&quot;: [
        &quot;PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin&quot;,
        &quot;_=/usr/bin/kthreadd&quot;,
        &quot;   =/usr/bin/bioset&quot;,
        &quot;PWD=/&quot;,
        &quot;LANG=en_NZ.UTF-8&quot;,
        &quot;NOTIFY_SOCKET=/run/systemd/notify&quot;,
        &quot;SHLVL=2&quot;,
        &quot;WATCHDOG_PID=471&quot;,
        &quot;WATCHDOG_USEC=180000000&quot;,
        &quot;&quot;
      ],
      &quot;extension&quot;: &quot;&quot;,
      &quot;file_descriptors&quot;: [
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 0,
          &quot;path&quot;: &quot;/dev/null&quot;,
          &quot;type&quot;: &quot;block&quot;
        },
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 8,
          &quot;path&quot;: &quot;pipe:[8506748]&quot;,
          &quot;type&quot;: &quot;pipe&quot;
        },
        {
          &quot;class&quot;: &quot;unknown&quot;,
          &quot;number&quot;: 11,
          &quot;path&quot;: &quot;anon_inode:[eventfd]&quot;,
          &quot;type&quot;: &quot;unknown&quot;
        },
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 12,
          &quot;path&quot;: &quot;/dev/null&quot;,
          &quot;type&quot;: &quot;block&quot;
        },
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 4,
          &quot;path&quot;: &quot;pipe:[8506749]&quot;,
          &quot;type&quot;: &quot;pipe&quot;
        },
        {
          &quot;class&quot;: &quot;unknown&quot;,
          &quot;number&quot;: 3,
          &quot;path&quot;: &quot;anon_inode:[eventpoll]&quot;,
          &quot;type&quot;: &quot;unknown&quot;
        },
        {
          &quot;class&quot;: &quot;unknown&quot;,
          &quot;number&quot;: 5,
          &quot;path&quot;: &quot;socket:[8506728]&quot;,
          &quot;type&quot;: &quot;socket&quot;
        },
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 6,
          &quot;path&quot;: &quot;pipe:[8506749]&quot;,
          &quot;type&quot;: &quot;pipe&quot;
        },
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 1,
          &quot;path&quot;: &quot;/dev/null&quot;,
          &quot;type&quot;: &quot;block&quot;
        },
        {
          &quot;class&quot;: &quot;unknown&quot;,
          &quot;number&quot;: 10,
          &quot;path&quot;: &quot;anon_inode:[eventfd]&quot;,
          &quot;type&quot;: &quot;unknown&quot;
        },
        {
          &quot;class&quot;: &quot;tcp&quot;,
          &quot;number&quot;: 13,
          &quot;path&quot;: &quot;socket:[9420771]&quot;,
          &quot;type&quot;: &quot;socket&quot;
        },
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 2,
          &quot;path&quot;: &quot;/dev/null&quot;,
          &quot;type&quot;: &quot;block&quot;
        },
        {
          &quot;class&quot;: &quot;device&quot;,
          &quot;number&quot;: 7,
          &quot;path&quot;: &quot;pipe:[8506748]&quot;,
          &quot;type&quot;: &quot;pipe&quot;
        },
        {
          &quot;class&quot;: &quot;unknown&quot;,
          &quot;number&quot;: 9,
          &quot;path&quot;: &quot;anon_inode:[eventfd]&quot;,
          &quot;type&quot;: &quot;unknown&quot;
        }
      ],
      &quot;flags&quot;: {
        &quot;containerized&quot;: false,
        &quot;deleted&quot;: false,
        &quot;hidden&quot;: false,
        &quot;immutable&quot;: true
      },
      &quot;gid&quot;: 0,
      &quot;gid_name&quot;: &quot;root&quot;,
      &quot;hash&quot;: {
        &quot;md5&quot;: &quot;7275d8b380e6facc7c5420603f2672cc&quot;,
        &quot;sha1&quot;: &quot;1a6ad6106aa4dacb6fc8262169779f743b9255bd&quot;,
        &quot;sha256&quot;: &quot;98412571e95a5cdd24879389f846f3571d5975a92a4d467d292e4c1d6a481cef&quot;,
        &quot;sha512&quot;: &quot;b664e43a878f7a598fd656b31a0eb687533bd9689e22803051cd32d64205518e7b16e715c16a476e471f25dc0368922c33cc519becdc7a7ac41916a494ab85eb&quot;
      },
      &quot;maps&quot;: [
        &quot;00400000-00401000 r--p 00000000 00:00 0 &quot;,
        &quot;00401000-006f0000 r-xp 00000000 00:00 0 &quot;,
        &quot;006f0000-007a2000 r--p 00000000 00:00 0 &quot;,
        &quot;007a2000-00843000 rw-p 00000000 00:00 0 &quot;,
        &quot;01147000-01190000 rw-p 00000000 00:00 0                                  [heap]&quot;,
        &quot;01190000-011b0000 rw-p 00000000 00:00 0                                  [heap]&quot;,
        &quot;7f6394000000-7f6394021000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f6394021000-7f6398000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f639c000000-7f639c021000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f639c021000-7f63a0000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f63a0000000-7f63a0021000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f63a0021000-7f63a4000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f63a4000000-7f63a4021000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f63a4021000-7f63a8000000 ---p 00000000 00:00 0 &quot;,
        &quot;7f63a939c000-7f63a939d000 ---p 00000000 00:00 0 &quot;,
        &quot;7f63a939d000-7f63a9b9d000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f63a9b9d000-7f63a9b9e000 ---p 00000000 00:00 0 &quot;,
        &quot;7f63a9b9e000-7f63aa39e000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f63aa39e000-7f63aa39f000 ---p 00000000 00:00 0 &quot;,
        &quot;7f63aa39f000-7f63aab9f000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f63aab9f000-7f63aaba0000 ---p 00000000 00:00 0 &quot;,
        &quot;7f63aaba0000-7f63ab3a0000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f63ab3a0000-7f63ab3a1000 ---p 00000000 00:00 0 &quot;,
        &quot;7f63ab3a1000-7f63abba1000 rw-p 00000000 00:00 0 &quot;,
        &quot;7f63abba1000-7f63abba2000 r--p 00000000 08:01 135430                     /usr/bin/kthreadd&quot;,
        &quot;7f63abcc5000-7f63abcd9000 r-xp 00000000 00:00 0 &quot;,
        &quot;7ffdb36d9000-7ffdb36fa000 rw-p 00000000 00:00 0                          [stack]&quot;,
        &quot;7ffdb37bd000-7ffdb37bf000 r-xp 00000000 00:00 0                          [vdso]&quot;,
        &quot;ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]&quot;
      ],
      &quot;name&quot;: &quot;kthreadd&quot;,
      &quot;network_ports&quot;: {
        &quot;established&quot;: true,
        &quot;established_num&quot;: 1,
        &quot;icmp&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;icmp6&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;listening&quot;: false,
        &quot;listening_num&quot;: 0,
        &quot;operating&quot;: true,
        &quot;raw&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;raw6&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;sctp&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;tcp&quot;: {
          &quot;connections&quot;: [
            {
              &quot;ip_address_local&quot;: &quot;REDACTED&quot;,
              &quot;ip_address_remote&quot;: &quot;103.231.30.59&quot;,
              &quot;port_local&quot;: 42624,
              &quot;port_remote&quot;: 443
            }
          ],
          &quot;established&quot;: true,
          &quot;established_num&quot;: 1,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: true
        },
        &quot;tcp6&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;udp&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        },
        &quot;udp6&quot;: {
          &quot;connections&quot;: null,
          &quot;established&quot;: false,
          &quot;established_num&quot;: 0,
          &quot;listening&quot;: false,
          &quot;listening_num&quot;: 0,
          &quot;operating&quot;: false
        }
      },
      &quot;path&quot;: &quot;/usr/bin/kthreadd&quot;,
      &quot;pgid&quot;: 6572,
      &quot;pid&quot;: 6572,
      &quot;ppid&quot;: 1,
      &quot;stack&quot;: [
        &quot;ep_poll+0x23e/0x360&quot;,
        &quot;SyS_epoll_wait+0xed/0x120&quot;,
        &quot;system_call_fastpath+0x25/0x2a&quot;,
        &quot;0xffffffffffffffff&quot;
      ],
      &quot;state&quot;: &quot;S&quot;,
      &quot;system_uptime&quot;: &quot;2021-07-10T14:24:17+12:00&quot;,
      &quot;uid&quot;: 0,
      &quot;uid_name&quot;: &quot;root&quot;
    },
    &quot;response&quot;: {
      &quot;directory&quot;: {
        &quot;error&quot;: false
      },
      &quot;file&quot;: {
        &quot;error&quot;: false
      },
      &quot;log&quot;: {
        &quot;error&quot;: false
      },
      &quot;process&quot;: {
        &quot;error&quot;: false,
        &quot;killed&quot;: false,
        &quot;suspended&quot;: false
      },
      &quot;user&quot;: {
        &quot;error&quot;: false
      }
    }
  },
  &quot;severity&quot;: 3,
  &quot;start_time&quot;: &quot;2021-07-19T20:59:10Z&quot;,
  &quot;status&quot;: &quot;alert&quot;,
  &quot;status_msg&quot;: &quot;ok&quot;,
  &quot;tags&quot;: [
    &quot;attack.id.T1027&quot;,
    &quot;attack.tactic.defense_evasion&quot;,
    &quot;attack.tactic.execution&quot;,
    &quot;process&quot;
  ],
  &quot;type&quot;: &quot;process&quot;,
  &quot;uid&quot;: 0,
  &quot;uid_username&quot;: &quot;root&quot;
}</code></pre><h3>Malicious LD_PRELOAD Library</h3><pre data-language="json"><code>{
  &quot;end_time&quot;: &quot;2021-07-19T20:57:13Z&quot;,
  &quot;engine&quot;: &quot;sandfly_engine_file&quot;,
  &quot;euid&quot;: 0,
  &quot;euid_username&quot;: &quot;root&quot;,
  &quot;exec_seconds&quot;: 4,
  &quot;name&quot;: &quot;file_immutable_in_lib_dir&quot;,
  &quot;output_format&quot;: &quot;3.0&quot;,
  &quot;pid&quot;: 54929,
  &quot;results&quot;: {
    &quot;explanation&quot;: &quot;The file '/usr/lib/libcurl.so.2.17.0' is marked as immutable and was found under '/usr/lib/'. Immutable files are not common on Linux and often is done by malware to prevent itself from being deleted. Please investigate this file to be sure it is meant to be marked immutable and is not part of a malicious program or rootkit. It is owned by UID '0' and was created on 2021-06-26T06:59:10+12:00.&quot;,
    &quot;file&quot;: {
      &quot;blksize&quot;: 4096,
      &quot;blocks&quot;: 64,
      &quot;data&quot;: null,
      &quot;date&quot;: {
        &quot;accessed&quot;: &quot;2021-07-19T20:26:50+12:00&quot;,
        &quot;accessed_minutes&quot;: 750,
        &quot;created&quot;: &quot;2021-06-26T06:59:10+12:00&quot;,
        &quot;created_minutes&quot;: 34678,
        &quot;modified&quot;: &quot;2021-06-26T06:55:12+12:00&quot;,
        &quot;modified_minutes&quot;: 34682
      },
      &quot;device&quot;: 2049,
      &quot;entropy&quot;: 4.31,
      &quot;extension&quot;: &quot;.0&quot;,
      &quot;flags&quot;: {
        &quot;char_device&quot;: false,
        &quot;deleted&quot;: false,
        &quot;device&quot;: false,
        &quot;directory&quot;: false,
        &quot;hidden&quot;: false,
        &quot;immutable&quot;: true,
        &quot;link&quot;: false,
        &quot;named_pipe&quot;: false,
        &quot;regular&quot;: true,
        &quot;sgid&quot;: false,
        &quot;sgid_root&quot;: false,
        &quot;socket&quot;: false,
        &quot;sticky&quot;: false,
        &quot;suid&quot;: false,
        &quot;suid_root&quot;: false
      },
      &quot;gid&quot;: 0,
      &quot;gid_name&quot;: &quot;root&quot;,
      &quot;hash&quot;: {
        &quot;md5&quot;: &quot;fed81f7ec31811ac0d4fda157939504f&quot;,
        &quot;sha1&quot;: &quot;c8a4039a4c347e9571ac042c43028f3d7e2b9784&quot;,
        &quot;sha256&quot;: &quot;139adce4299a9c657347910061e0966482125c39b240eae5ee8b5b18de22c208&quot;,
        &quot;sha512&quot;: &quot;1828a57ec9d6f83d99d23f93769ad74cb22323138b73a3cd7f784005da628b974152d4aa26bd25bf34aec3a5eedeb6a05cfc3138919aef252b92c5cafdf5da44&quot;
      },
      &quot;inode&quot;: 135428,
      &quot;magic_num&quot;: {
        &quot;class&quot;: &quot;executable_linux&quot;,
        &quot;expected_extensions&quot;: [],
        &quot;hex&quot;: &quot;7f454c46020101000000&quot;,
        &quot;text&quot;: &quot;ELF\u0002\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000&gt;\u0000&quot;,
        &quot;type&quot;: &quot;elf&quot;
      },
      &quot;mode&quot;: &quot;0100755&quot;,
      &quot;name&quot;: &quot;libcurl.so.2.17.0&quot;,
      &quot;nlink&quot;: 1,
      &quot;path&quot;: &quot;/usr/lib/libcurl.so.2.17.0&quot;,
      &quot;path_link&quot;: &quot;&quot;,
      &quot;path_root&quot;: &quot;/usr/lib/&quot;,
      &quot;rdevice&quot;: 0,
      &quot;size&quot;: 31336,
      &quot;size_byte_count&quot;: 31336,
      &quot;size_mismatch&quot;: false,
      &quot;uid&quot;: 0,
      &quot;uid_name&quot;: &quot;root&quot;
    },
    &quot;response&quot;: {
      &quot;directory&quot;: {
        &quot;error&quot;: false
      },
      &quot;file&quot;: {
        &quot;error&quot;: false
      },
      &quot;log&quot;: {
        &quot;error&quot;: false
      },
      &quot;process&quot;: {
        &quot;error&quot;: false,
        &quot;killed&quot;: false,
        &quot;suspended&quot;: false
      },
      &quot;user&quot;: {
        &quot;error&quot;: false
      }
    }
  },
  &quot;severity&quot;: 3,
  &quot;start_time&quot;: &quot;2021-07-19T20:57:09Z&quot;,
  &quot;status&quot;: &quot;alert&quot;,
  &quot;status_msg&quot;: &quot;ok&quot;,
  &quot;tags&quot;: [
    &quot;attack.tactic.persistence&quot;,
    &quot;file&quot;
  ],
  &quot;type&quot;: &quot;file&quot;,
  &quot;uid&quot;: 0,
  &quot;uid_username&quot;: &quot;root&quot;
}</code></pre><h3>Malicious root SSH Key</h3><p>The SSH key below was inserted by the malware into the root user's <em>authorized_keys</em> file to allow remote access.</p><pre data-language="json"><code>{
  &quot;end_time&quot;: &quot;2021-07-19T20:59:11Z&quot;,
  &quot;engine&quot;: &quot;sandfly_engine_user&quot;,
  &quot;euid&quot;: 0,
  &quot;euid_username&quot;: &quot;root&quot;,
  &quot;exec_seconds&quot;: 0,
  &quot;name&quot;: &quot;user_ssh_authorized_keys_immutable&quot;,
  &quot;output_format&quot;: &quot;3.0&quot;,
  &quot;pid&quot;: 54929,
  &quot;results&quot;: {
    &quot;explanation&quot;: &quot;The SSH authorized_keys file for user 'root' is marked as immutable and was found under '/root/.ssh/authorized_keys'. Immutable SSH authorized_keys files are not common on Linux and often is done by malware to prevent credentials from being deleted. Please investigate this file to be sure it is meant to be marked immutable and is not part of a malicious program or rootkit. It is owned by UID '0' and was created on 2021-06-26T06:59:10+12:00.&quot;,
    &quot;response&quot;: {
      &quot;directory&quot;: {
        &quot;error&quot;: false
      },
      &quot;file&quot;: {
        &quot;error&quot;: false
      },
      &quot;log&quot;: {
        &quot;error&quot;: false
      },
      &quot;process&quot;: {
        &quot;error&quot;: false,
        &quot;killed&quot;: false,
        &quot;suspended&quot;: false
      },
      &quot;user&quot;: {
        &quot;error&quot;: false
      }
    },
    &quot;user&quot;: {
      &quot;gecos&quot;: &quot;root&quot;,
      &quot;gid&quot;: 0,
      &quot;gid_name&quot;: &quot;root&quot;,
      &quot;group_membership&quot;: null,
      &quot;home_dir&quot;: &quot;/root&quot;,
      &quot;password&quot;: {
        &quot;age_max&quot;: 99999,
        &quot;age_min&quot;: 0,
        &quot;days_since_expired&quot;: 0,
        &quot;days_since_last_changed&quot;: 5,
        &quot;disabled&quot;: false,
        &quot;empty&quot;: false,
        &quot;hash&quot;: {
          &quot;md5&quot;: &quot;bf1d75ea36725c891826d9863ed2b5ba&quot;,
          &quot;sha1&quot;: &quot;97c44aaa7db98765b8ba9e5375fed7acc46dcd56&quot;,
          &quot;sha256&quot;: &quot;27dae2857e4b6c627377cc996c2d2b906d1d29a411f3a03f537916419d933eb5&quot;,
          &quot;sha512&quot;: &quot;e99e980a9058bf37921c00b63c325a8fd3e1b9d8a49acdc66bbcac9df7b61fe6351b77dc56a7c3dffeb638b3e7d5a5fa98926ec6dc7fed0b166ae306afc654e2&quot;
        },
        &quot;inactivity_period&quot;: 0,
        &quot;locked&quot;: false,
        &quot;present&quot;: true,
        &quot;reserved&quot;: &quot;&quot;,
        &quot;type&quot;: &quot;sha-512&quot;,
        &quot;warning_period&quot;: 7
      },
      &quot;shell&quot;: &quot;/bin/bash&quot;,
      &quot;ssh&quot;: {
        &quot;authorized_keys&quot;: {
          &quot;data&quot;: [
            {
              &quot;comment&quot;: &quot;rsa 2048-040119&quot;,
              &quot;entry&quot;: &quot;ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv54nAGwGwm626zrsUeI0bnVYgjgS/ux7V5phklbZYFHEm+3Aa0gfu5EQyQdnhTpo1adaKxWJ97mrM5a2VAfTN+n6KUwNYRZpaDKiUwmHNUSW7E1S18ClTCBtRsC0rRDTnIrslTRSHlM3cNN+MskKTW/vWz/oE3ll4MMQqexZlsLvMpVVlGq6t3XjFXz0ABBI8GJ0RaBS81FS2R1DNSCb+zORNb6SP6g9hHk1i9V5PjWNqNGXyzWIrCxLc88dGaTttUYEoxCl4z9YOiTw8F5S4svbcqTTVIu/zt/7OIQixDREGbddAaXZXidu+ijFeeOul/lJXEXQK8eR1DX1k2VL+w== rsa 2048-040119&quot;,
              &quot;entry_num&quot;: 1,
              &quot;hash&quot;: {
                &quot;md5&quot;: &quot;e2d6943f010de84d3c2f108f6e245332&quot;,
                &quot;sha1&quot;: &quot;559c2b1fa95ff99ce619a4c8f09a6ba1c8a38287&quot;,
                &quot;sha256&quot;: &quot;62b8b5844975d78d59d3fb1b706f6507f6b2c0523e92655b931af2e756a97f59&quot;,
                &quot;sha512&quot;: &quot;8d94c2ede768628017eaf08ecc248599a783f3e39d18c07376318f328ddf00dd3b506d4554c9a660e91685b97e04db3ac6aba3d2c642a5ac11054b0c6e6b81e8&quot;
              },
              &quot;key&quot;: &quot;AAAAB3NzaC1yc2EAAAABIwAAAQEAv54nAGwGwm626zrsUeI0bnVYgjgS/ux7V5phklbZYFHEm+3Aa0gfu5EQyQdnhTpo1adaKxWJ97mrM5a2VAfTN+n6KUwNYRZpaDKiUwmHNUSW7E1S18ClTCBtRsC0rRDTnIrslTRSHlM3cNN+MskKTW/vWz/oE3ll4MMQqexZlsLvMpVVlGq6t3XjFXz0ABBI8GJ0RaBS81FS2R1DNSCb+zORNb6SP6g9hHk1i9V5PjWNqNGXyzWIrCxLc88dGaTttUYEoxCl4z9YOiTw8F5S4svbcqTTVIu/zt/7OIQixDREGbddAaXZXidu+ijFeeOul/lJXEXQK8eR1DX1k2VL+w==&quot;,
              &quot;options&quot;: &quot;&quot;,
              &quot;path&quot;: &quot;/root/.ssh/authorized_keys&quot;,
              &quot;type&quot;: &quot;ssh-rsa&quot;
            }
          ],
          &quot;duplicate_found&quot;: false,
          &quot;file&quot;: [
            {
              &quot;blksize&quot;: 4096,
              &quot;blocks&quot;: 8,
              &quot;data&quot;: null,
              &quot;date&quot;: {
                &quot;accessed&quot;: &quot;2021-07-19T20:26:50+12:00&quot;,
                &quot;accessed_minutes&quot;: 752,
                &quot;created&quot;: &quot;2021-06-26T06:59:10+12:00&quot;,
                &quot;created_minutes&quot;: 34680,
                &quot;modified&quot;: &quot;2021-06-26T06:59:10+12:00&quot;,
                &quot;modified_minutes&quot;: 34680
              },
              &quot;device&quot;: 2049,
              &quot;entropy&quot;: 5.93,
              &quot;extension&quot;: &quot;&quot;,
              &quot;flags&quot;: {
                &quot;char_device&quot;: false,
                &quot;deleted&quot;: false,
                &quot;device&quot;: false,
                &quot;directory&quot;: false,
                &quot;hidden&quot;: false,
                &quot;immutable&quot;: true,
                &quot;link&quot;: false,
                &quot;named_pipe&quot;: false,
                &quot;regular&quot;: true,
                &quot;sgid&quot;: false,
                &quot;sgid_root&quot;: false,
                &quot;socket&quot;: false,
                &quot;sticky&quot;: false,
                &quot;suid&quot;: false,
                &quot;suid_root&quot;: false
              },
              &quot;gid&quot;: 0,
              &quot;gid_name&quot;: &quot;root&quot;,
              &quot;hash&quot;: {
                &quot;md5&quot;: &quot;a4bcd006b681d3ef99c3c28be376116e&quot;,
                &quot;sha1&quot;: &quot;1c59c1c28754d015a79d98b4868a700ba2184af3&quot;,
                &quot;sha256&quot;: &quot;ccadae0c6dc8985186f4d639f5ba7dd262cd95253158e468613a4e53d1f1578a&quot;,
                &quot;sha512&quot;: &quot;8d427a01ae69ec00324b08a465dda067426c6a4bbc040bedb2ede695b214752821ba7296171815f141712f93ba7a6cdd037c2a3b855da55a1bd637b51be29b1e&quot;
              },
              &quot;inode&quot;: 396458,
              &quot;magic_num&quot;: {
                &quot;class&quot;: &quot;unknown&quot;,
                &quot;expected_extensions&quot;: null,
                &quot;hex&quot;: &quot;7373682d727361204141&quot;,
                &quot;text&quot;: &quot;ssh-rsa AAAAB3NzaC1y&quot;,
                &quot;type&quot;: &quot;unknown&quot;
              },
              &quot;mode&quot;: &quot;0100644&quot;,
              &quot;name&quot;: &quot;authorized_keys&quot;,
              &quot;nlink&quot;: 1,
              &quot;path&quot;: &quot;/root/.ssh/authorized_keys&quot;,
              &quot;path_link&quot;: &quot;&quot;,
              &quot;path_root&quot;: &quot;/root/.ssh/&quot;,
              &quot;rdevice&quot;: 0,
              &quot;size&quot;: 396,
              &quot;size_byte_count&quot;: 396,
              &quot;size_mismatch&quot;: false,
              &quot;uid&quot;: 0,
              &quot;uid_name&quot;: &quot;root&quot;
            }
          ],
          &quot;present&quot;: true,
          &quot;total&quot;: 1
        }
      },
      &quot;uid&quot;: 0,
      &quot;username&quot;: &quot;root&quot;
    }
  },
  &quot;severity&quot;: 3,
  &quot;start_time&quot;: &quot;2021-07-19T20:59:11Z&quot;,
  &quot;status&quot;: &quot;alert&quot;,
  &quot;status_msg&quot;: &quot;ok&quot;,
  &quot;tags&quot;: [
    &quot;attack.id.T1021.004&quot;,
    &quot;attack.id.T1078&quot;,
    &quot;attack.id.T1098.004&quot;,
    &quot;attack.tactic.initial_access&quot;,
    &quot;attack.tactic.lateral_movement&quot;,
    &quot;attack.tactic.persistence&quot;,
    &quot;user&quot;
  ],
  &quot;type&quot;: &quot;user&quot;,
  &quot;uid&quot;: 0,
  &quot;uid_username&quot;: &quot;root&quot;
}</code></pre><p>Full Key:</p><pre data-language="json"><code>ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv54nAGwGwm626zrsUeI0bnVYgjgS/ux7V5phklbZYFHEm+3Aa
0gfu5EQyQdnhTpo1adaKxWJ97mrM5a2VAfTN+n6KUwNYRZpaDKiUwmHNUSW7E1S18ClTCBtRsC0rRDTnIrslT
RSHlM3cNN+MskKTW/vWz/oE3ll4MMQqexZlsLvMpVVlGq6t3XjFXz0ABBI8GJ0RaBS81FS2R1DNSCb+zORNb6
SP6g9hHk1i9V5PjWNqNGXyzWIrCxLc88dGaTttUYEoxCl4z9YOiTw8F5S4svbcqTTVIu/zt/7OIQixDREGbdd
AaXZXidu+ijFeeOul/lJXEXQK8eR1DX1k2VL+w== rsa 2048-040119
</code></pre><div class="ss--spacer "></div></div><div class="ss--content ss--content--gutters ss--content--text-align-left ss--content--width-small"><div class="ss--share"><h4 class="ss--share__heading">Share this:</h4><div class="ss--share__icons"><button aria-label="facebook" style="background-color: transparent; border: none; padding: 0px; font: inherit; color: inherit; cursor: pointer;" class="react-share__ShareButton"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M400 32H48A48 48 0 0 0 0 80v352a48 48 0 0 0 48 48h137.25V327.69h-63V256h63v-54.64c0-62.15 37-96.48 93.67-96.48 27.14 0 55.52 4.84 55.52 4.84v61h-31.27c-30.81 0-40.42 19.12-40.42 38.73V256h68.78l-11 71.69h-57.78V480H400a48 48 0 0 0 48-48V80a48 48 0 0 0-48-48z"></path></svg></button><button aria-label="linkedin" style="background-color: transparent; border: none; padding: 0px; font: inherit; color: inherit; cursor: pointer;" class="react-share__ShareButton"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M416 32H31.9C14.3 32 0 46.5 0 64.3v383.4C0 465.5 14.3 480 31.9 480H416c17.6 0 32-14.5 32-32.3V64.3c0-17.8-14.4-32.3-32-32.3zM135.4 416H69V202.2h66.5V416zm-33.2-243c-21.3 0-38.5-17.3-38.5-38.5S80.9 96 102.2 96c21.2 0 38.5 17.3 38.5 38.5 0 21.3-17.2 38.5-38.5 38.5zm282.1 243h-66.4V312c0-24.8-.5-56.7-34.5-56.7-34.6 0-39.9 27-39.9 54.9V416h-66.4V202.2h63.7v29.2h.9c8.9-16.8 30.6-34.5 62.9-34.5 67.2 0 79.7 44.3 79.7 101.9V416z"></path></svg></button><button aria-label="twitter" style="background-color: transparent; border: none; padding: 0px; font: inherit; color: inherit; cursor: pointer;" class="react-share__ShareButton"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M400 32H48C21.5 32 0 53.5 0 80v352c0 26.5 21.5 48 48 48h352c26.5 0 48-21.5 48-48V80c0-26.5-21.5-48-48-48zm-48.9 158.8c.2 2.8.2 5.7.2 8.5 0 86.7-66 186.6-186.6 186.6-37.2 0-71.7-10.8-100.7-29.4 5.3.6 10.4.8 15.8.8 30.7 0 58.9-10.4 81.4-28-28.8-.6-53-19.5-61.3-45.5 10.1 1.5 19.2 1.5 29.6-1.2-30-6.1-52.5-32.5-52.5-64.4v-.8c8.7 4.9 18.9 7.9 29.6 8.3a65.447 65.447 0 0 1-29.2-54.6c0-12.2 3.2-23.4 8.9-33.1 32.3 39.8 80.8 65.8 135.2 68.6-9.3-44.5 24-80.6 64-80.6 18.9 0 35.9 7.9 47.9 20.7 14.8-2.8 29-8.3 41.6-15.8-4.9 15.2-15.2 28-28.8 36.1 13.2-1.4 26-5.1 37.8-10.2-8.9 13.1-20.1 24.7-32.9 34z"></path></svg></button></div></div></div><div class="ss--spacer ss--spacer--padding-double"></div><div class="ss--cta ss--cta--variant-default ss--cta--color-default"><div><div class="ss--cta__content"><h2>Let Sandfly keep your Linux systems secure.</h2><a class="ss--button ss--button--alignment-center ss--button--color-secondary ss--button--elevated ss--button--style-solid" href="/get-sandfly/"><span>Learn More</span></a></div></div></div></main></div><footer class="ss--footer"><div class="ss--footer__container"><div class="ss--footer__wrapper"><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>Contact Us</h4></div><ul><li><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M6.62 10.79c1.44 2.83 3.76 5.14 6.59 6.59l2.2-2.2c.27-.27.67-.36 1.02-.24 1.12.37 2.33.57 3.57.57.55 0 1 .45 1 1V20c0 .55-.45 1-1 1-9.39 0-17-7.61-17-17 0-.55.45-1 1-1h3.5c.55 0 1 .45 1 1 0 1.25.2 2.45.57 3.57.11.35.03.74-.25 1.02l-2.2 2.2z"></path></svg><a href="tel:+64 3 3792313">+64 3 3792313</a></li><li><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path fill="none" d="M0 0h24v24H0z"></path><path d="M20.5 3l-.16.03L15 5.1 9 3 3.36 4.9c-.21.07-.36.25-.36.48V20.5c0 .28.22.5.5.5l.16-.03L9 18.9l6 2.1 5.64-1.9c.21-.07.36-.25.36-.48V3.5c0-.28-.22-.5-.5-.5zM15 19l-6-2.11V5l6 2.11V19z"></path></svg><a href="https://goo.gl/maps/9cFto1o6GNa9RK6S9" target="_blank" rel="noopener noreferrer">4 Ash Street Christchurch, New Zealand 8011</a></li></ul></div><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>Product Navigation</h4></div><ul><li><a href="/platform/why-sandfly/">Why Sandfly?</a></li><li><a href="/platform/how-sandfly-works/">How Sandfly Works</a></li><li><a href="/platform/threats-detected/">Linux Threats Detected</a></li><li><a href="/platform/walk-through/">Walk Through</a></li></ul></div><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>General Navigation</h4></div><ul><li><a href="/about-us/our-story/">Our Story</a></li><li><a href="/about-us/partner/">Partners And MSSPs</a></li><li><a href="/under-attack/">Under Attack? </a></li><li><a href="/contact-us/">Contact Us </a></li></ul></div><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>Keep in Touch</h4></div><form id='Newsletter' name='Newsletter' method='POST' class='ss--form'><div style="opacity: 1; transform: none;"><div><fieldset><input type="hidden" name="form-name" value="Newsletter" /><div class="ss--input "><label for="input--firstName">First Name<span area-label="required">*</span></label><input id="input--firstName" name="firstName" placeholder="First Name" required type="text" /></div><div class="ss--input "><label for="input--lastName">Last Name<span area-label="required">*</span></label><input id="input--lastName" name="lastName" placeholder="Last Name" required type="text" /></div><div class="ss--input "><label for="input--emailAddress">Email Address<span area-label="required">*</span></label><input id="input--emailAddress" name="emailAddress" placeholder="Email Address" required type="email" /></div><button type="submit" class="ss--button ss--button--alignment-left ss--button--color-primary ss--button--elevated ss--button--style-solid ss--button--width-full"><span>Submit</span></button></fieldset></div></div></form></div><div class="ss--footer__menu"><div class="ss--footer__menu-heading"><h4>Connect With Us</h4></div><ul class="ss--footer__social"><li><a target="_blank" rel="noopener noreferrer" href="https://twitter.com/sandflysecurity"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 512 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"></path></svg></a></li><li><a target="_blank" rel="noopener noreferrer" href="https://nz.linkedin.com/company/sandfly"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M416 32H31.9C14.3 32 0 46.5 0 64.3v383.4C0 465.5 14.3 480 31.9 480H416c17.6 0 32-14.5 32-32.3V64.3c0-17.8-14.4-32.3-32-32.3zM135.4 416H69V202.2h66.5V416zm-33.2-243c-21.3 0-38.5-17.3-38.5-38.5S80.9 96 102.2 96c21.2 0 38.5 17.3 38.5 38.5 0 21.3-17.2 38.5-38.5 38.5zm282.1 243h-66.4V312c0-24.8-.5-56.7-34.5-56.7-34.6 0-39.9 27-39.9 54.9V416h-66.4V202.2h63.7v29.2h.9c8.9-16.8 30.6-34.5 62.9-34.5 67.2 0 79.7 44.3 79.7 101.9V416z"></path></svg></a></li><li><a target="_blank" rel="noopener noreferrer" href="/blog/rss.xml"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 448 512" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg"><path d="M128.081 415.959c0 35.369-28.672 64.041-64.041 64.041S0 451.328 0 415.959s28.672-64.041 64.041-64.041 64.04 28.673 64.04 64.041zm175.66 47.25c-8.354-154.6-132.185-278.587-286.95-286.95C7.656 175.765 0 183.105 0 192.253v48.069c0 8.415 6.49 15.472 14.887 16.018 111.832 7.284 201.473 96.702 208.772 208.772.547 8.397 7.604 14.887 16.018 14.887h48.069c9.149.001 16.489-7.655 15.995-16.79zm144.249.288C439.596 229.677 251.465 40.445 16.503 32.01 7.473 31.686 0 38.981 0 48.016v48.068c0 8.625 6.835 15.645 15.453 15.999 191.179 7.839 344.627 161.316 352.465 352.465.353 8.618 7.373 15.453 15.999 15.453h48.068c9.034-.001 16.329-7.474 16.005-16.504z"></path></svg></a></li></ul></div></div><div class="ss--copyright"><p>© 2021 Sandfly Security, Ltd. <a class="ss--copyright__link" href="/privacy-policy/">Terms &amp; Privacy Policy</a></p></div></div></footer><script type="application/ld+json">{"@context":"https://schema.org","@type":"Organization","name":"Sandfly Security","description":"Sandfly is an agentless Linux endpoint intrusion detection and incident response platform. Sandfly is a Linux network and server security monitoring tool. Sandfly finds malware and intruders on Linux without agents.","email":"support@sandflysecurity.com","contactPoint":[{"@type":"ContactPoint","email":"support@sandflysecurity.com","contactType":"customer service"}],"url":"https://www.sandflysecurity.com","logo":"/icon.svg","sameAs":["https://www.facebook.com/sandflysec","https://twitter.com/sandflysecurity"]}</script></div></div><div id="gatsby-announcer" style="position: absolute; top: 0px; width: 1px; height: 1px; padding: 0px; overflow: hidden; clip: rect(0, 0, 0, 0); white-space: nowrap; border: 0px;" aria-live="assertive" aria-atomic="true"></div></div><script async src="https://www.googletagmanager.com/gtag/js?id=G-D2N4MNQFQ1"></script><script>
      
      
      if(!(navigator.doNotTrack == "1" || window.doNotTrack == "1")) {
        window.dataLayer = window.dataLayer || [];
        function gtag(){window.dataLayer && window.dataLayer.push(arguments);}
        gtag('js', new Date());

        gtag('config', 'G-D2N4MNQFQ1', {"send_page_view":false});
      }
      </script><script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/4661162.js"></script><script>var _hsq = window._hsq = window._hsq || [];_hsq.push(['setPath', window.location.pathname + window.location.search + window.location.hash]);if (window.doNotTrack || navigator.doNotTrack || navigator.msDoNotTrack || 'msTrackingProtectionEnabled' in window.external) {if (window.doNotTrack == '1' || navigator.doNotTrack == 'yes' || navigator.doNotTrack == '1' || navigator.msDoNotTrack == '1' || window.external.msTrackingProtectionEnabled()) {_hsq.push(['doNotTrack']);}}</script><script id="gatsby-script-loader">/*<![CDATA[*/window.pagePath="/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/";/*]]>*/</script><script id="gatsby-chunk-mapping">/*<![CDATA[*/window.___chunkMapping={"polyfill":["/polyfill-552ac1476542cef0c9e5.js"],"app":["/app-132ada53c3c9e9f3531c.js"],"reactPlayerYouTube":["/reactPlayerYouTube-6aad408dd50e459afbef.js"],"reactPlayerSoundCloud":["/reactPlayerSoundCloud-21112285341210625ceb.js"],"reactPlayerVimeo":["/reactPlayerVimeo-3967f7f73f9ebbc15433.js"],"reactPlayerFacebook":["/reactPlayerFacebook-6cf39214240c6e353565.js"],"reactPlayerStreamable":["/reactPlayerStreamable-91e03012e170dbc6cdfe.js"],"reactPlayerWistia":["/reactPlayerWistia-2a66d1a2352cd3c36290.js"],"reactPlayerTwitch":["/reactPlayerTwitch-29c8828de0a5d3ea37da.js"],"reactPlayerDailyMotion":["/reactPlayerDailyMotion-ad4aaadbc08836c0d38d.js"],"reactPlayerMixcloud":["/reactPlayerMixcloud-6499c88a7b0ce4cf039e.js"],"reactPlayerVidyard":["/reactPlayerVidyard-ed86c9dcae3bb1a3d50e.js"],"reactPlayerKaltura":["/reactPlayerKaltura-c3e547ddbd182d91b0c5.js"],"reactPlayerFilePlayer":["/reactPlayerFilePlayer-905eadf49553675010ae.js"],"reactPlayerPreview":["/reactPlayerPreview-edb57ea9074c45784973.js"],"component---src-pages-styleguide-tsx":["/component---src-pages-styleguide-tsx-fe8c5a5096fa04fd1106.js"],"component---src-templates-case-studies-tsx":["/component---src-templates-case-studies-tsx-527ccf4fb1b47bc2a35a.js"],"component---src-templates-case-study-tsx":["/component---src-templates-case-study-tsx-17c849e4e8c56329441b.js"],"component---src-templates-page-tsx":["/component---src-templates-page-tsx-e11ef84a54e27be00a81.js"],"component---src-templates-post-list-tsx":["/component---src-templates-post-list-tsx-f5abfad91776bce810b9.js"],"component---src-templates-post-tag-tsx":["/component---src-templates-post-tag-tsx-1cac1ee737aedca4b7fa.js"],"component---src-templates-post-tsx":["/component---src-templates-post-tsx-ae335e01da7e1c5f3255.js"],"component---src-templates-pricing-tsx":["/component---src-templates-pricing-tsx-0cf297b42af79378fb7b.js"]};/*]]>*/</script><script src="/polyfill-552ac1476542cef0c9e5.js" noModule></script><script src="/component---src-templates-post-tsx-ae335e01da7e1c5f3255.js" async></script><script src="/commons-cdf8d21da97b7f8c3277.js" async></script><script src="/app-132ada53c3c9e9f3531c.js" async></script><script src="/dc6a8720040df98778fe970bf6c000a41750d3ae-dd93728800e4a0b477f1.js" async></script><script src="/d7eeaac4-9383b673d380ff69a85f.js" async></script><script src="/0c428ae2-077c794f033ffcb85804.js" async></script><script src="/1bfc9850-31218c3c985bbd75ceed.js" async></script><script src="/545f34e4-72cf32f6098a825aca20.js" async></script><script src="/252f366e-b322fa72583b59061ed4.js" async></script><script src="/framework-c263438ac2c988728477.js" async></script><script src="/webpack-runtime-879b79453e276ef30ce2.js" async></script></body></html>